Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: What to Look for in Your Dream Assessor
Quick Take
On this week’s episode, the Compliance Unfiltered crew has a topic that dreams are made of for you: what to look for in that “dream” assessor. When it comes to identifying the right assessor for your organization, folks often don’t know where to start. In this episode, Adam gives you the roadmap to success. Curious about some basic validation points? No worries. Wondering what you can look for to see if a firm is a good fit? The Compliance Unfiltered guys have you covered there too. All these topics and more, on this week’s episode of Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Highlights include:
- Why is finding your “forever assessor” so challenging?
- Where should you start the search?
- What are some of the basic validation points?
- Picking a firm that’s a good cultural fit
- How can you further assess the assessment firm?
- How do location, costs play into the decision?
- What about system requirement considerations?
These topics and more on this week’s episode of Compliance Unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man who many compliance dreams are made of. Mr. Adam Goslin himself. Adam, how the heck are you? I feel like I should be singing some song from a 50s or 60s movie or something. Well, how are you going to tease things like that and not come through in the clutch? Who can make a rainbow or something? I don’t know, but I’m excited to hear where you go with this now. Yeah, just never know.
Well, Adam, we’re gathered here today to talk about dreams of sort. And for many organizations, a topic that could potentially be a nightmare, and that’s finding the proper assessor. Some might say finding your dream assessor before an extremely important engagement.
And I’ll ask you, where do you start? Well, finding the, I’ll call them the dream assessor, the forever assessor, whatever. Bottom line, finding the right assessor. The reason that it’s challenging is that you’ve got different assessment firms, even assessment firms that are supposedly going against the same certification. And so, these 18 firms are doing SOC, or these 20 firms are doing PCI, and every single one of them is gonna to take a different approach, right? I mean, each of them, if you will, they’re businesses, they’ve got ways they do things, competitive advantages, approaches and methodologies that will be their secret sauce, if you will. So it’s challenging to find that perfect assessor, just because there’s so much variability in the marketplace. Heck, even variability when you’re within the same firm. So I could go to this assessor, versus that assessor and have differences. So, the different firms take different approaches. They have different philosophies of how they want to do the things they do. They even have different cultures. So, it ends up being a little more challenging than people give it credit for out of the gate. Well, that challenge is something that, I mean, I don’t know if you can necessarily prepare for it. It’s one of those things that you don’t know until you know.
But I guess, where should you look to start knowing, Adam? How do you get rolling here? Well, I mean, the first thing that I would do is talk to people that you know and trust that have gone through compliance, right? I mean, it doesn’t matter if they’re going up against HIPAA, SOC or NIST, ISO or PCI, whatever it may be, just reach out to folks whose opinion you trust, and go have conversations with them about what certifications they’re going up against? And, what was their experience with this firm? And, whatnot, use that pool. And when you have that conversation with them, ask them about their experience with the firm, with the people that they interact with, whether it’s positive, or negative, those are all good inputs to be able to bring to the table. You might as well learn what you can from their experience, so that you’re better off for it. Certainly, if folks have access to some type of security or compliance consulting firm, somebody that basically acts as an intermediary between clients and their certifications, and their chosen assessment firms. Those folks in particular have experience across many different assessors and assessment firms. And so, they can really give you insight, experience, and help shortcut that process. So, it can be super helpful to be able to leverage somebody like that in that space as well.
Now that makes a ton of sense. What are some of the basic validation points some folks should be looking to address? Well, I mean, once you’ve got a pool, I’ve done my digging, I’ve done my research, whether it’s that or just literally looking up assessment firms by the certification that you’re doing. Once you have a pool of different firms out there, the first step, and this sounds like a no-brainer, but go in and validate that the firm actually does the certification that you’re seeking. So if you need HIPAA and SOC, and ISO and PCI as an example, well, the people that are on the potential list, they may not do all of those certifications. So make sure that they actually do them. And one thing that I’ve learned from experience is when you talk to the firms, ask them if they do the assessment themselves, or if they outsource. Because there’s some of these assessment firms that everybody can’t be everything to everyone, and I get that, but it’s good for you to be able to walk in eyes wide open. So if you’ve got to go down a particular certification route, then you absolutely want to be walking in eyes wide open as to are you really going to be just dealing with the vendor they picked? In some cases, that notion of yes, we have to outsource to so-and-so for this portion, in some cases, the assessment firm that you’re contracting with, so let’s say they do three of your four certifications, but don’t completely fill out the fourth one, and they do have somebody that sits off on the sideline, then ask them, am I going to need to interact with that person? Or, are we going to be able to just work with you, and then you do the coordination with them? So that’ll really drive your experience. The other thing that I would say for the basics in the validation points area, is also put some thought into potential future certifications or standards that you’re going to run into. So if I know that I’m dealing with a lot of folks that are in the banking industry, and they don’t necessarily go against any particular banking cert, or we deal a lot with manufacturers as an example, and nobody’s really pressed them to go get any particular ISO certification. It’s good to think about what could be coming in our near-term future as an organization, and asking the pool of people that you have, oh, by the way, I have a suspicion that this certification is going to come into play for us a couple of years down the road, is that something that you do today? If they check all the other boxes, well, then you might as well get the one that’s going to be able to grow with you as you go through that process. Sure.
Speaking of people, anybody who’s listened to this podcast for any length of time knows that I always tell my children, I buy things from people, not from places. And, that’s because relationships matter. Culture matters, specifically when you’re working with a firm like this, they’re going to get to know the intimate details of your business. Talk to us about what the cultural of the firm needs to look like in order for it to be a successful partnership. Sure. And I mean, it’s like any relationship, right? I mean, there’s people that mesh well, and people that don’t. You want to make sure that you’ve got alignment. Is your firm really laid back and easy going? You’re probably not going to be seeking an assessment firm that’s hyper rigid. Another organization that internally, they value that rigidity and structure, maybe seek comfort in gaining an assessor that carries a similar torch of structure and rigidity. In some ways, as you think it through, if you end up with an assessor that has this prescribed process of thou shalt do steps one through seven hundred and eighty-three type of thing.
Yeah, okay, any other limitations that will come as a result of that? Well, of course, you’re gonna need to adapt to the structure that, If every single time you’re gonna go through this process, there’s the same seven hundred and eighty whatever steps. Now I’ve got consistency. So it’s like sure it’s a mishmash, it’s more of a feel thing. You just you need to take a look at it. But it’s absolutely important to have a fit. If your walking in, and you’re going to end up clashing, well then you might as well just go grab somebody else on the list.
Well, how can I further assess the assessment firm here? Sure. Well it sounds logical, but go ahead and meet them. If they happen to be local, then great, but at least do a video chat. I would ask the assessment firm to include, preferably the assessor that they would plan to assign to your engagement, or at bare minimum, the leader of the department for the certification that you’re gonna be going up against, because you’ll likely be working with that person. But get them involved as well if you can. If you end up being paired up with an assessor at a firm, and it’s not working, one of the suggestions that I’ve got for folks is, request that you shift to a different assessor than the one that you’ve currently got. Because that’s a good solution, so that you don’t have to gut the relationship with the firm, but you can still get into a better situation, at least from a firm perspective, you’re not losing that historical relationship and whatnot, you can provide some measure of comfort for others. They’re like, oh, it’s not working, I’m just gonna bail, make the call.
Sure, well, I mean, it may seem a little on the nose, but how does location play into the equation? Well, and this is an interesting topic for many people, they tend to find comfort in something that’s close, that they can reach out and touch, right? Especially, if you go into the hosting arena, right? Especially before the last decade plus, with the instantiation and rapid growth of cloud, people would want to have their servers at a hosting location that they could drive to, because it was a necessity. Well, now we’ve moved things into the cloud. Now the communication technology has dramatically improved. Honestly, for me, there’s still people that it’s just their thing. I want somebody down the road so that if I need to meet with them, I can see them face to face and it’s not costing me type of thing. But with the technology advancements, and video chat and all this fun stuff, you think about it, there’s no reason why I can’t be on the East Coast and have an assessor that’s on the West Coast. It just doesn’t matter. At the end of the day, for most engagements, the assessor typically needs to come out for an onsite once a year. So whether they happen to drive down the road, or they happen to fly across the country, my thought in general is that it’s a lot more beneficial to get somebody that is perfect, than to limit your options because of your geographic limitation, and have to settle with somebody in particular, your options are dramatically better off and wider if you can go anywhere in the country.
All right, so now let’s talk turkey. How does cost or do costs, because there’s more than one, actually play into the equation here? Yeah, well, cost is an interesting arena. I have seen more organizations literally just burn off their nose despite their face, because they just say, whatever company comes in with the lowest price, is it. There’s no way, don’t hire on price alone, because if they’re the cheapest, you get what you pay for. Exactly. Just because I happen to hire the most expensive firm known to man, does not mean that you’re going to have an amazing, perfect relationship. In many ways, what I’ve seen over time, is that when you pick an organization that is moderately priced, they’re often better for the budget. And those firms will typically try harder to earn and keep your business. If you’re dealing with the cheapest out there you’re basically put into their machine of needing to do it swiftly, amazingly swiftly so that they can actually be profitable. If you’re on the mode of the most expensive, here’s the other interesting part about the more expensive ones. If you think about it, right? Big firms that are out there, one of the downsides of a lot of the larger scale firms is, they’ve built their approach on bringing in junior resources, getting them spun up and trained. Those junior resources tend to go into the middle tiers of management, a few will escalate up near the top, but the majority of the workforce are relatively less experienced with oversight, from the middle layers of middle management and upper management. And, that’s just the way that these big firms typically do what they do. There’s a couple of exceptions to that arena, but those really expensive firms, you could have dramatic variability in terms of real world boots on the ground skill and experience that’s going to be heading your way on your particular engagement. So those are some of the reasons why, those, mid-range priced style firms are the ones that I would typically gravitate toward. I like that. It’s all about value.
Speaking of, talk to us about what type of system requirement considerations needs to go into this decision making process. Well, for me, I mean, if all of a sudden they’re producing things on Excel spreadsheets, that’s going to make me run. I built a Portal to eliminate spreadsheets. So yeah, that’s going to instantly trigger me. But no, I mean, the reality is, is that if you’ve got a firm that’s coughing up spreadsheets as their collection, the way that they communicate in collection mechanism and block, instantly, that should be telling you things about where they’re at in the grand scheme of things from a technology perspective, how mature and dynamic their process is. So some firms have spreadsheets. Some are going to have drop zones for files and whatever, some type of a SharePoint site, go dump your stuff here type of thing. Others are going to have their own proprietary system that they force you to put your own data into. Some will use a system that you can license. The important part is ask the questions, know what you’re walking into beforehand. You always want to walk in eyes wide open. Part of the challenge is with the various other ways of doing it, with spreadsheets, drop zones for files, or use of their own proprietary system. The problem with all of those is that now the company that’s going through compliance, they have to create their own way internally to manage their own data, on their own systems, and then manually port it over to fill in the blank target arena. It will, in effect, you walk in with built-in inefficiency if you’re not able to all use the same system. And the one thing that organizations, a lot of them are like, well, hey, the assessor’s the boss, so we’re just gonna do whatever the assessor says, but they’re not thinking about down the road, right? What happens if your dream assessor person at fill in the blank firm is now gone, they’ve now left and have gone to a secondary location, or left the firm. You now have to switch compliance assessment firms. You don’t want to have to go and abandon your only repository for all of your information and data. If you are all on one system that you can use, and you can retain the licensing for, that’s your ultimate dream for how to go about doing it.
All right, so parting thoughts and shots, this has been extremely informative. What else do you have for the folks as we head down the back stretch? Well, just keep in mind that this choice of assessors has the potential to make your life miserable, or not, so make your selections carefully. Make sure that the assessment firm that you’re dealing with isn’t just simply going to be black and white about it, that they can use their judgment to determine how you’re meeting these requirements. Think with an open mind. Make sure that the assessment firm is the right fit for your organization. You definitely don’t want to settle with an organization that isn’t a good fit, even if it’s an existing firm, find ways to make that better. There’s no reason that your experience needs to be horrifying. Like I said earlier on, I wouldn’t instantly just abandon ship from the existing firm I’m working with. But go talk to management, and go see if you can get the assessor switched that you’re directly working with, if that’s the change that’s needed. Sometimes the change is more fundamental and you need to go make the switch. But if you’re with an organization that isn’t a good fit, it’s just going to make your compliance experience suck that much more. Hence the motto of TCT, making compliance management suck less.
Oh, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
