Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: TCT Unplugged Vol. 1
Quick take
In a first for the show, this week’s episode of Compliance Unfiltered shakes things up a bit. Adam asks the questions about what Todd is hearing on a day-to-day basis about the needs and wants of Professionals in the compliance space.
We take a candid look at some of the common challenges that organizations and assessors share in the space. The conversation also sheds light on some of the ways that TCT has been able to address them.
Join us on this deeper dive into some areas of opportunity for the space in general. All this and more on this week’s special Unplugged edition of Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside a man who has a great appreciation for all things, big and small, in the world of compliance. Adam Goslin, Adam, how the heck are you? I’m doing just fantastic today, Todd. How about yourself? Man, I can’t complain. I truly can’t. So tell me, what’s today’s episode all about? It’s unique. I’m curious. Tell the folks.
Well, normally, the folks that are listening don’t get to see the prep work and all that fun stuff. And so, we kind of get topics lined up, and get lines together. And there’s a fair amount of work that goes into each of the episodes. And I was sitting here thinking, I’m like, we’ve never done, what I’m going to phrase, TCT unplugged. And so the thought process here is that, you’ve been working in the security compliance arena, talking to folks that are interested and or have needs in the security and compliance space. You’ve been doing that for a while. I’ve been working in the security and compliance space for a while. The way I figure we run this one is, having you list some of the common things that you see as asks, or needs, out of folks that are in the security and compliance space. Describe the types of things that you’re hearing that they’re interested in and want to know about, or are struggling with. And then we can just have and open dialogue on some of the items that will typically come up for you. And at some point in the game, we’ll go ahead and stick a fork in it, and see how this episode works out.
You know, I think that that’s great. Being able to pull back the curtain a little bit for the folks at home is pretty cool. And I think that from what I’ve seen in my time in the compliance space, it’s really a need for some place to house everything all at once. I think one of the biggest challenges that I see, and it really doesn’t matter whether I’m talking to an individual member of an organization, or I’m talking to an auditing or assessing firm, the need is always similar. At some point in time, somebody says something to the effect of, and listen, I’ve got to depend on all these different people to give me all these different things, and they’re housing all their information in all these different places, it’s just exhausting. I spend so much of my time chasing my tail. Herding cats, if you will. Not that anybody listening to this podcast can relate to that. No, I agree the notion of the consolidation of just getting things into a single spot, it’s a challenge. Because the folks that have been down this path, seasoned cat herders, those folks that are used to doing that, it all started back in the day with a spreadsheet, and places to go put stuff.
And honestly, herding cats is about the best approximation I’ve managed to come up with for managing a compliance engagement, just because there’s so much useless wasted time that these people end up spending, just trying to establish a process that’s even manageable. Because you’re dealing with vendors, you’re oftentimes dealing with five, or six different internal departments within each of those teams. There could be sub realms of expertise within the personnel, depending on which department we’re talking about.
You know, people are people, they’re going to do things differently. It doesn’t matter that I told them, you know what, I want you to name everything that you’re going to go send in this manner, so that I have some clue of what the heck I’m looking at when I stare at the file name, and I want you to put all that stuff here.
And it sounds simple. And yet, great reality seeps into these damn engagements. You’re sitting in a meeting with Barbara, and Barbra says, Oh, you know what, I forgot to tell you. And meanwhile, she’s delivering pertinent information around your compliance thing, sitting across from you at a table. I’ve got nothing to write this down with, what do I do? Do I write on a post it note, and hope I don’t lose it? Do I send myself an email? It’s just a gigantic pain in the ass. And how do I store it? And how do I refer to it later when I need it? And how do I share that information with other people who may request it? And so we’re seeing that happen a lot in this space.
One of the other things that we’re also seeing consistently, one of the asks that I hear is specifically around my compliance needs, not my GRC needs. The thing is, is when I’m talking to compliance people, their focus is shopper compliance. And they’re not really worried as much as the majority of folks about the governance risk aspect of things, at least at this portion of time. They’re certainly not looking for that, in addition to their immediate need on the same level. So they want to talk about their immediate need, they want something that’s going to help them address their immediate need, that’s going to make their life easier, as opposed to give them just another system to learn. And it’s something that they can replicate with the rest of their team. So oftentimes, when you hear people say, yeah, I’m familiar with GRCs, they’re talking about this big monstrosity of a complex system that does 99 things, and one of them happens to be compliance, and it just doesn’t quite fit for them.
Now here’s the deal with those gigantic, behemoth GRCs. There’s a couple of downsides, right? Number one, if you get one that’s worth its salt, then in all likelihood it’s going to cost an astronomical amount of money, that’s one of the downsides. And the other is that those big, huge, gigantic GRC systems, I mean, I’ve heard tales of well, we’re 18 months into our GRC rollout, and we’re only 62% of the way there type of thing. It’s like, nowadays people just don’t have time for that crap. My favorite Adam, is when you purchase one of those big systems, after the ink is still drying on that contract, they tell you, oh by the way, you’re going to need to bring in an in-house consultant who works specifically with companies to facilitate the integration of our system.
Well, there’s the atypical games that are played out there, right? Like okay so you bought the GRC, and you’re right. Now we’re going to get into add-on territory. Oh, well, we didn’t realize that was part of the scope. And ,oh, by the way, you’re gonna need to go ahead and get your own consultant, or we can help you with that. Oh, oh you meant that you needed to have this module? Oh, well, that’s going to be and up charge. It’s just like watching a train wreck, you can just see it unfolding. You’ve now got this, starting out of the gate, year-long deployment. Cost keep getting flung on the one side, with the timeline on the other side, just dragging on and on. Even if they had a prayer of hitting their 12-month initial rollout, you know, on that understanding, they’re not hitting that. So I get it that at the end of the day, these poor compliance people just want to make it better. And one other thing I was going to say to you is that, yeah those gigantic, behemoth GRC style tools. Once it’s completely rolled out, and you have paid your pound of flesh and gone through the 18 dimensions of hell to be able to get it in place. Can those systems once completely tuned up, bippity, boppity, boo, make your world easier? Of course they can. But that’s way down the road, and comes with an investment of many hundreds of thousands, if not millions of dollars later. And people are just looking to make the bad man stop now, dragging it on for ad infinitum through one of these tool sets.
Something else that we’re seeing regularly in this space is, people trying to talk to us about, I mean, for lack of a better term, ongoing compliance. Like anybody who runs a business, you want staying power, you want stickiness with your clients, you want that business year over a year. And in the compliance space, being able refer to previous years information on an engagement, I mean, that’s worth it’s weight in gold. And if you can keep it in the same system, when it comes to how much time and energy you’re going to save on that actual engagement, that’s not necessarily something that is common in the space, as much as you would think it would be. Well, what’s interesting is that I’ve been seeing, everybody loves their loves their buzzwords right? The latest newfangled thing, and blah, blah, blah. And then with the notions of ongoing compliance and continuous compliance, there’s all these people coming out with these buzzwords thinking they’ve just invented water or something.
The bottom line is that when we started the TCT Portal back in 2014. One of the very first things that we had built into it was the ability to handle those operational compliance needs, because it was a gigantic pain in the ass to have to manually manage all of this stuff. And honestly, how operational compliance mode started, was because literally I’d be showing up at assessor on-sites, and having people on the client teams going, oh, geez, I totally forgot to do fill in the blank. Whether it was their quarterly vuln scans, or a quarterly check of their users, or quarterly pulse checks for rouge wireless. And in some cases, it was extremely painful to sit and have those conversations. I just wanted to try to help protect the organizations going through compliance. So they weren’t in that position. It’s not fun for them. It’s not fun for me trying to help them. So that’s kind of how that operational mode of compliance started out. The biggest problem, I think, is that a lot of organizations believe that, oh, well, if we want to get a system that’s actually going to help us with our compliance stuff, we’re going to be spending hundreds of thousands of dollars, and multiple years of rollout. But that’s the entire reason why we built the TCT Portal, we didn’t want people to have to suffer and wait. things along those lines. And so, they walk in with the misnomer that it’s going to take a lot of time and pain to roll something like this out. It’s just not true.
And so, if they can get the light bulbs to go on and pick that, I’ll call it a middle ground tool, which will help them with their security compliance stuff. It’s huge. because now they’ve got that single source. You were mentioning earlier, the single source repository for their security and compliance information. It’s gigantic to be able to just know consistently that yes, all my stuff is here. I don’t need to go looking all over the place for it, all my communication, my documentation, my explanations, my files, everything is in one spot. And the best part about it is, it’s not just a location where you go put stuff, right? You can dust it off a year down the road with a compliance management system. You’ve got the ability to route it and assign it to the right people on the team, and even have it establish for yourself an internal QA process if you so choose, before it’s heading on to your consultant or assessor. One of the coolest parts about the TCT Portal in general is, that it’s almost like a meeting place for folks that are going through compliance engagements. And quite frankly, the company going through compliance can license it. We have service providers or consultants that will license the TCT Portal for their engagements. We’ve got assessors that will license the portal for their engagements. We can even switch the licensing. So if there’s a company that’s going through compliance with an assessor, and that’s how they happen to get introduced to the TCT Portal, they can pick up the licensing themselves.
That puts us into a kind of neat and interesting position in the marketplace, because our goal and objective is to help everybody with their security and compliance needs. It gives the folks the ability to go out there and use the tool, and if they need to switch around the licensing for whatever reason, maybe the organization started off with a particular assessor, and they’ve decided they want to move to another assessor. Well, it doesn’t mean they have to lose the use of the tool. They can pick up the licensing themselves. In another case, we’ll have organizations that will initially get introduced through an assessor, because they’re going through PCI as an example. But the internal organization has needs for, HIPAA, and NIST CSF, and CMMC. They’ve got these other needs that they’re not addressing through that one assessor. That’s been another reason why organizations will just pick up the licensing themselves, there’s no change or impact to the assessor. But the folks going through compliance, the people I call applicants, those organizations that are applying to be certified. The applicant organization, they can go ahead and license it themselves, continue to use it for PCI with their assessor, and then be able to also use it for tracking and managing all of their other internal compliance needs, or maybe they’re even using different assessors. They’ve got split assessments, they’ve got some that are not even using an assessor. They’ve just got all the options at their fingertips at that point in the game, which makes it really, really cool.
One of the other things that we’re seeing, just kind of going along with that, that I hear people kind of ooh and aah about, or at times will ask initially, is this something that’s possible? Specifically in the realm of assessment firms, but also with individual organizations with whom I partner. There’s a lot of crossover in applicable controls between certifications. And so it’s something where people go, oh my gosh, can we like connect those? Or is there some way that those might, I don’t know, map together? And one of the nice things about what TCT brings to the table is that mapping, the control mapping between different certifications. Well, the control mapping is an interesting one. We’ve got it set up in a couple of different ways. We’ve got the ability to quote, import. So you can just say, hey, I want to take my relevant data and information, I want to import it from this track to this track, so I can import it from PCI to HIPAA as an example. But another option that we’ve got as well is something that we call live linking. So basically the way that that works is, that when the track is up and running and they’re filling in their data and information on their PCI engagement, let’s say they were live linked to their HIPAA, then any of the relevant controls which would map over onto their HIPAA engagement, the evidence would immediately live link from PCI over to the appropriate HIPAA controls, and fill those in as they’re going through their PCI. So all of that ends up working together. The other nice part is that, we’ll take a crack at the mappings between the certifications, but we’ll give the organizations the option, or opportunity, to customize those mappings that they’ve got for their particular engagements. That can start off with the defaults, and then they can tweak them as they see fit. So, if we’ve got a particular assessment firm that wants to have their engagements mapped a certain way, then they have that ability to go in and tweak and modify those within the system. So that makes it pretty cool, and very portable. Because like on a HIPAA engagement, generally speaking, on a HIPAA engagement, the majority of the controls can either, depending on the client’s circumstances, the majority of the controls can either be marked N/A or inherit from a PCI style engagement with one exception. That’s the business associate agreement over on the HIPAA side. That’s typically standalone, right? It’s something specific to HIPAA that’s not going to get crossover coverage from PCI. And so what the organization can do is, they can basically parking lot everything except for that BAA. And now they’re working through their PCI and they’re working on their BAA item over on the HIPAA track. And meanwhile, everything else is just automatically getting filled in as they go. That’s another cool element of being able to really truly optimize your engagements.
Now, when we’re talking about having two certifications, okay, well, yep, that’s super cool. But I mean, we’ve got engagements on the portal where the organizations are literally subject to five, six, seven different certifications. And we’ve kind of got it set up so all of that harmonizes with each other. And, oh my God, it makes it so much easier. No, it’s very true. The last thing, as I was sitting here thinking about this question, what really comes to mind when it comes down to the things that I hear most frequently within the space. This is actually something that TCT in general just kind of does. And it’s interesting how intuitive the portal is, and how often someone will ask a question on a call, and I’ll just be able to say, yes, that’s already baked into the system. It’s just the dashboarding functionality. Adam, it’s actually, really interesting how much people value the ability just to see where everything is in an organized fashion, so that they can properly understand what they’re up against. Well, that’s part of the pain that we were looking to cure, if you will. One of the biggest problems that I would have back in the day is that, if I needed an updated status, well, guess what? I literally had to go and create it myself. So, I would have to go through, try to start reviewing, oh, these are all the new files that I’ve gotten and blah, blah, blah, and let me go start making these updates. Well that updating process, it would take hours to go get through everything, to get my hands around what do I think I’ve got,and where’s it at. And in that two-hour span, everything is shifting underneath me, right? Meanwhile, I’ve got assessors which are moving things back down. I’ve got folks on the applicant team that are moving things up. And so by the time that I finished the status update, it’s already out of date. And the dashboarding capability, some of the oversight capabilities through the system, it basically handles all of that, all of that pain that I used to have to do. It’s just automatic, it’s live, it’s there. You don’t have to wonder, or worry about what all’s happening, and who did what, and did they push this up. All I have to do is hit the refresh button, and basically it’s there. So that part is nice, as well as the ability to get different views of the data on the engagement.
So for one particular discussion, maybe I’m having a discussion with the execs for a particular organization, we’ll sit down and all we want to know is just big buckets, right? How much is in whose hands, who’s being the businesses. So if I’ve got the company going through compliance and I’ve got a consulting house and I’ve got an assessor, who’s got how much? How much is completed? How much is left in whose hands? That’s all I care about type of thing, we can do that. But when you’re sitting on your daily status meeting, or not daily status meeting, your weekly status meeting, typically compliance engagements will run, depending on where you’re at in the continuum, once a week would be typical. If you’re approaching the finish line, or you really need to push, maybe you’ll do it two or three times a week. You can bring it into an assigned view, if you will. Which will take the big buckets, and break it down into who’s actually got what, so that I can tell which person, on which team, has how many items in their hands. So you can go through and figure out what the counts are by person on the team. And again, we were talking a little bit ago about, hey, somebody comes and asks me, what’s the status on the engagement? Well, then I’ve got to go put my head down for a couple hours. Well, imagine you’re getting pressure to try to get this engagement done, right? You’ve got the salespeople clamoring at you. These clients want the report, and the executives are like, we need this done because we’ve got other business priorities. We need to have these people that we need to deploy them on. So the poor compliance person is just busy getting hammered eight ways from Sunday. And yet, is electively signing up for multi-hour status updates three times a week now.
How much absolutely effing wasted time are they pouring down the toilet, managing this stuff manually? It’s absolutely nuts. The difference in managing engagements when you use a compliance management system, I can’t even tell you what amount of night and day it is from the before and after. It’s just so much better. It’s so much easier. You realize just how much time you were spending, just whizzing it away as you’re going through that compliance engagement.
And the other thing, you mentioned something, we all said on this topic. I want to move back to something that I forgot about. Okay, so you were talking earlier about the benefits of having everything in one place. The other piece, which is huge, is that no matter what, anybody that knows me well, knows that I’m not like the snake oil salesman. I’m going to be realistic and honest about things. It doesn’t matter, man. Your first shot at compliance sucks, period. It can suck a lot less if you’ve got a compliance management system. But no matter what, whether you’ve got a compliance management system, or you have to do it manually, manually just sucks a lot more. But make no mistake, the first run sucks. And the reason why it sucks is, you’re trying to get your arms around these things. You’re either trying to figure all this stuff out for yourself as your goal of going through your compliance thing, or you’re trying to figure out how does your assessor tick and work, what are they going to take, and what are they looking for? And you’re figuring out a lot of stuff, right? But no matter what, when you go through that first pass of compliance, there is a tremendous learning experience that happens, you know, not only for the organization, but for the person going through the assessment side of things, or the one that’s actually going through the compliance side of things, on both sides, there’s just a ton of learning that happens.
One of the big problems nowadays is that, there’s always a lot of turnover. There’s either turnover, there’s people coming and going from the organization, there’s people coming and going from departments within the organization, there’s people coming and going from different levels within the organization. That change is just a constant drum beat. So, now you look back, right? You look back at, okay, we made it through our first pass, whether you happen to do it manually, or you happen to use a compliance management system, everybody kind of does the sigh of relief, we made it through. Well, all of that learning then goes out into the ether when you start having people switching positions, changing jobs, leaving the company, whatever it may be, you lose a ton when you don’t use a compliance management system.
Now, I can’t even begin to tell you how much of a great feeling it is going from, not using a compliance management system, to using one when you get to that year two plus arena. Now that I’m walking back into year two, hopefully I’ve managed to preserve a number of people that were on the team the last go around, that did all this learning. Hopefully, I’ve still got the same assessors at the assessment firm that I’m working with. The greater the consistency in those groups, obviously the easier it is, but there can be changes. But it’s, oh my God, it’s like the clouds part and angels start singing when I can just go to the compliance management system, and see who did what, what people presented which evidence, how it was presented to the assessor, did they accept it, did they tell us it was wrong and we needed to change it, what was the final thing that they actually took as evidence. You’ve got all of that, any of the internal commentary back and forth about trying to find things, where did I pull this from? Oh, I think that Bob needs to go grab this. No, wait, nope, it wasn’t Bob, it was Alison. All of it is sitting right there at your fingertips, you’ve got it as a repository. Oh my God, it’s so much easier when you go back and just go in and look and say, what the hell did we do last time? And actually have it.
If I’m in the old days crap show, where I had things flying at me through text messages, face-to-face meetings, emails, drop zones, share files, share point, and possibly even being mandated to use my assessor’s compliance system to go load everything into, you lose all of that. And it’s F-ing huge, it’s huge. Because now, let’s say Alison fulfilled 15% of the items on last year’s track. Well, if Alison’s moved on to another company, now I gotta get some noob to go and get their arms around all of this stuff. But if I’m using a compliance management system, now the noobs, let’s say that the noob’s name is Frank. So Frank’s taking over for Alison, Frank logs in, looks at last year’s track and can see, what did Alison do? He can go in and look at those items. He can assign himself to the same items Alison was on. He can see what she did. He can see, where’d she pull it from? What screenshots were leveraged? So it’s all right there. And I can’t even begin to tell you on year two and three, how much time these companies end up saving by not having to go through those 18 dimensions of pain.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
