Get a Demo

[Podcast] Compliance Status Updates for Executives

, ,
0

Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.

Show Notes: Compliance Status Updates for Executives

Listen on Apple Podcasts
Listen on Google Podcasts

 

Quick Take

On this episode of Compliance Unfiltered, the CU guys go inside the mind of executives to uncover the true importance of having access to, and the understanding of, compliance status updates.

  • Curious about some of the common challenges in status reporting?
  • Want to learn how much of a game-changer really time status reporting can be for a dynamic organization?

The guys will cover all this and more, on this week’s Compliance Unfiltered.

Remember to follow us on LinkedIn and Twitter!

Read Transcript

So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.

Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside a man who will row, row, row your compliance boat. Mr. Adam Goslin, how the heck are you, sir? I’m doing good, Todd. How are you? Pluses and minuses, sir. I can’t complain all the way around. Today, we get to talk about something that, well, makes me happy, and that is status, compliance status, specifically for executives.


Now, why is having your finger on the pulse of your compliance engagement important as an executive? Well, I mean, you know, smart executives realize that the business impact of, you know, security and compliance can have on their organization. So, you know, it’s important that they’re, you know, kind of keeping their finger on the on that pulse, making sure that they know, you know, where they’re at. But, you know, in the same sense, you know, we also want to look at it from an executive perspective, right? They don’t want to be getting lost in the weeds or micromanaging their teams and, you know, and whatnot. There’s a certain level of information that they need to know in order to do the things that they need to do, you know, day by day. Certainly, internally, you know, they’re getting inquiries and requests from, you know, from various folks, right? Whether it’s, you know, investors, board members. You know, critical clients, you know, sales, you know, sales is, is interested in the, you know, kind of the state of the overall engagement because client, you know, prospective clients are asking, you know, things along those lines. So, being able to have your finger on that pulse is, is super important, but you know they also realize that, you know, it’s almost impossible to do that effectively. You know, which, which means that, you know, for most executives, they aren’t really as informed as they’d like to be. You know, but certainly, you know, some of the tools like PCT portal, you know, give the give the organization a better ability, you know, for those executives and give them information, you know, expediently, if you will.


Sure, that makes sense. Now, what are some of the challenges with compliance status reporting because, godly, there are several. Yeah, well, you know, you look at, you know, you look at a CFO and, you know, they’re, you know, their greatest priority for compliance management is about making, you know, making the most of things doing it in a timely and an efficient manner. You know, so, you know, the reality is, is that the company security and compliance program. It’s not a small endeavor, nor is it easy. Managing compliance takes a, you know, takes a good amount of time, which is a big drain. And the biggest problem with the security compliance arena is that drain typically happens with your, you know, most expensive and often your most scarce resources, you know, for the organization. So, you know, compliance in and of itself comes with an amazing amount of complexity, which, you know, further complicates the, you know, the issue of being able to do things, you know, without a ton of wasted time and inefficiency. You know, there’s a there’s a lot of organizations out there, you know, that are literally throwing, they’re throwing away, you know, tens of thousands of dollars, you know, or more every year on unoptimized compliance engagements. You know, today, you know, organizations just don’t have a good way of being able to track that efficiently. You know, every single time that you want to, you know, that you want to update the state of your compliance, that includes the, you know, the, a bunch of work that needs to get done every single time that we want to go update the status. So, you know, so every time somebody’s saying hey where we at, you know, somebody’s got to go and put their head down and blow hours just trying to get to the answer, you know, so, you know, so, you know, the, the problem is that by asking, hey, where are we adding knowing your status so that you can proactively manage the engagement in the same sense, you’re just burning time every single time that you’re trying to get to that answer.


So, you look at the CEOs and sales arena, they really understand the impact compliance has on both customer acquisition and on retention. So, on the one hand, you’re trying to stay out of the headlines for having an issue and that’ll prevent an exodus of customers, but on the other hand, more and more customers pay attention to companies that really have their ducks in a row in the realm of that cybersecurity. So, if your priority is to gain and retain customers, then it thereby means you need to care about the status of your security and compliance engagement. And a big frustration for a lot of executives is that they feel like their compliance status is opaque or uncertain, that it’s difficult to get to answers, things along those lines. When you get a status report, it takes too long to get it and it’s probably stale data by the time you do get it. So, you just don’t really know what the situation is. So, that makes for some challenges. Certainly, the efforts that we’ve put into the TCT portal, take away that uncertainty. The inefficiencies of being able to generate those status reports are thereby resolved.

Now, how big of a game changer are accurate live status reports? Well, accurate live status reports are huge. They’ve got, when you’re leveraging a compliance… management system like the TCT portal, you know, you get these things kind of inherently, if you will, just by using the system. So you know, TCT’s clients care a lot about compliance status and that’s a good thing. To us, it seemed insane to burn hours every time we wanted to get a simple status update. So we basically sat down and built a tool from the ground up to go cure some of the biggest problems that we were seeing on compliance engagement. You know, with the TCT portal, you’ve got status information that’s available immediately in a dashboard with a click of a button. You don’t have to sit around and wait. Your information and data doesn’t have to be outdated. You don’t need to divert the folks you need for compliance from their core work to jump into the fray to help. And it really makes things substantially easier for tracking and managing the statistics of your team. So questions that are simple to be able to get to are things like, what’s the overall status of the engagement? What tasks and activities are completed? Who has what in their hands? Which tasks are overdue? What’s basically gone through the validation process and been marked off as concluded or completed? These are all elements that effectively come straight out of the system. So it makes a huge difference for not having to be shooting yourself in the foot every time you wanna get a status update, it’s there, it’s accessible.
Yeah, and being able to manage across multiple departments, that information is hypercritical.

What are some of the different views leaders can use and their purpose, I guess? Well, the TCT portal, there’s really three kind of main dashboards that are especially useful for the executives. And it really kind of depends on where they’re at, what’s the information that they’re interested in seeing, what’s the purpose of their request? So in one view, there’s a view that’s called a status view. So effectively on every compliance engagement, there’s a certain workflow. Now, within our system, we have the capability to customize that workflow to whatever works for that particular organization. But whatever chosen workflow they’ve got, let’s say that it’s going from the applicant’s hands, applicant, sorry, in my world, I should back it up a little bit. In my world, I always struggled with what to call the company that’s going through compliance. And the company that’s going through compliance is a really long way to see it. So I tend to call those folks applicants or those that are applying to be certified. So for, you know, maybe it flows from applicants to an internal QA function up to the organization’s consultant from there up to their, into their, you know, kind of frontline assessor’s hands, into the assessor QA process and then into completed. Well, when you look at it in status view, it shows you each of those kind of swim lanes. you know, of, you know, that you’ve got in your workflow. And at a glance, you can see, you know, what are the percentage that are completed versus are sitting, you know, sitting in the, you know, frontline or applicants hands versus maybe they’re stagnating in, you know, applicant QA, you know, before it goes up to the consultant or maybe the consultant’s running behind, whatever. You’re able to just go in and at a glance get super high level numbers, as well as see the stats across the various, you know, kind of breakdown of requirements from within whichever certification it is.

So, you know, I’ll use PCI as an example. There’s requirements one through 12, while that status view will kind of break it out across the requirements one through 12. The next view that executives can leverage is something that we call an assigned view. So in the assigned view, you’ve got the ability to basically take those swim lanes that we were talking about a minute ago and then break those out so that I can see, well, in the applicant, you know, bucket, maybe there’s 12 different people that are working on things. So you can then break that apart to say, I want to know which person on the team in the applicant arena has how many items, you know, under the various requirements. So now I can just, with a flip of a button, now I can break it down to that level. So, you know, you can imagine that status view really is leveraged by, you know, top line executives, etc. Maybe the CFO is starting to get a little further into the weeds and some of the other C-level execs in terms of managing the engagement and wants to know who has what, you know, type of thing. Now that person can go into the assigned view. Certainly, you know, folks like, you know, whoever is actively managing the compliance engagement, you know, project managers, things on those lines, a lot of those types of folks will, you know, will benefit from leveraging the, you know, leveraging that. a side view to be able to kind of go through it. Depending on the certification that you’re working on, go back to PCI as an example, there can be 500 different things that are active and inactive movement through that workflow. But you’re able to tell that at a glance that, oh, okay, we’ve only got 200 left out of the 500. I’m also then able to see of those 200, you know, who has what. And now you can go in and see, oh, well, let’s say Bob has, you know, Bob has 20 items out of the 200, but Mary’s got 140 of them. Well, maybe you’re gonna end up with a problem resource-wise with being able to get things through. So you can go ahead and make some smarter decisions around who is it that I want to go in and take on what. The third of those views, that you’ve got is, you know, for an organization that’s already achieved compliance as has now moved into maintaining it. We’ve also got a view that will assist organizations that move into what we call operational mode where they’re able to tell, you know, are they staying on track with their various deliverables that they’ve got through the, you know, through their compliant annual compliance cycle. They’re able to tell whether or not, excuse me, whether or not the items that they’ve got are, you know, are done, done on time. Are they behind schedule, etc? It really just, it helps for the overall sense of, you know, are we doing the things that we need to do when we need to do them? And be able to see all of that at a glance as well. So that’s, you know, that’s part of the, you know, a compliance management system. You know, and especially, you know, for those organizations that, you know, that are compliant and now are managing and maintaining it, it’s probably one of the most understated challenges, you know, for organizations.
A lot of them will breathe that sigh of relief when they, whew, we finally got fill in the blank compliant, right? And, you know, they don’t realize just, you know, that’s like half the battle is getting there in the first place.


You’ve still got another whole, you know, another whole challenge, which is now that I have declared, I am compliant with fill in the blank and we’ve, you know, some executives signed off on it and we’re handing these pieces of paper out to people, etc, you know, they don’t quite realize just how big of a deal it’s going to be to manage and maintain and keep their finger on all of the things that need to be done all year long because they’ve got things that are supposed to be done, to be done every day, every week, every month, every quarter, twice a year, once a year, etc. And it’s really, really easy for an organization that isn’t using a compliance management system to lose sight of certain things. And the problem with that is when you get to the backend of your kind of, of your compliance engagement, now what that means is now I’m sitting down, I’m in front of the assessor. And now I’m in the unfortunate situation of having to answer some really, really tough questions around, you know, well, why isn’t this done? Where is this evidence? Why, I can’t wave a wand and go back and magically materialize something from nine months ago. You know, I didn’t do it. Well, yeah, yeah, it doesn’t work that way. And so, you know, you can’t just materialize it. And now I’ve got to try to justify to the assessor, you know, well, why isn’t this done and who dropped the ball? And, you know, now I’m having to write up additional documentation. And then quite frankly, it could be a risk to my, you know, to my annual compliance, depending on what it is that we, you know, that we missed out on.


Now, all of that said and done, in my mind’s eye, that’s the least of your worries, you know, oh, geez, we forgot to do fill in the blank and now we have to do some extra paperwork to explain why we didn’t do it, etc, and what we’re going to do differently going forward. The bigger problem for the organization is quite frankly, their state of security, because if I’m not fulfilling, you know, key, the controls aren’t there just for fun. You know, they’re there because they serve a purpose. They’re there because they provide active protection for the organization. And, you know, it’s, you know, that’s the important part, you know, to me, I mean, you know, I fall into an interesting, interesting bucket, right? You know, I’ve been in the security and compliance space for, you know, for a couple of decades at this point in the game. But, you know, I’m also, I’m also a CEO of an organization. You know, my organization meets every single week to sit down and hey, guess what? Take a look and see where we’re at and what’s going on. And do we have all our stuff done, etc? And it’s just, it is so freaking cool, you know, over how we, how we used to do it back in the day. You know, it’s, it’s the whole reason that we, that we wrote the damn system is just so that we can, you know, try to make, we have our tagline, right? You know, try to make managing compliance suck less, you know, and that’s kind of the mantra that, you know, that we live by, but you know, we, we are, we are consumers of that benefit at the same time, which is, which is super cool to see.


Indeed, indeed. Parting thoughts and shots for the folks this week, Adam? Well, the, you know, the reality is that, you know, when you’re, when you’re leveraging a compliance management system, you know, you, you oftentimes, it depends, the C-level people will often have internal tools and whatnot that they wanna go in and leverage for seeing the information that they wanna see because they’re getting feeds from whatever, they’re getting feeds from HR and they’re getting feeds from accounting and they’re getting feeds from sales and feeds from marketing and whatnot. So even if they’ve got that, you know, kind of consolidated internal dashboard, the cool part is, is that TCT has an API that allows the extraction of the status level information so that, you know, if your team can assist and do some integration, you know, with the information that’s available through the TCT portal, then you’ll be able to pull the status information via the API back into whatever familiar tool it is that you’ve got for your executives. You know, we like the notion of being able to be flexible in that regard, you know, so that makes things a whole heck of a lot easier. You know, the other thought is that, you know, the getting those real time status updates, man, that is just huge. You know, you want as an executive, you wanna be able to just put your fingers on information that’s accurate, that’s live, that you can count on, you know, you’re seeking the streamlining of operations and making sure that you’re helping to protect the company, you know, by making sure we’re up to speed on everything that we need to do for our security and for our compliance, you know, and not the least of which is, you know, in this day and age, being able to allow your personnel to focus on their kind of core, you know, core responsibilities to the organization instead of blowing time, you know, trying to track things down, manually managing, you know, things via spreadsheets, etc. It is an absolute fricking nightmare. there. And quite frankly, it weighs heavily on those folks that have to struggle with these things that are tough to do. So for the executives out there, just if you’re sitting there, you’re looking at how things are going, you’re seeing the struggle internally and whatnot, I would strongly encourage you to look for a better way. There is a better way to manage compliance. There is, in fact, a better way.

And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.

 

KEEP READING...

You may also like

Headshot of Adam Goslin for the Compliance Unfiltered podcast
January 15, 2025

[Podcast] Why Would One Use PCI as a Framework to Comply with HIPAA?

Headshot of Adam Goslin for the Compliance Unfiltered podcast
January 9, 2025

[Podcast] Compliance Management Systems: Making the Case

Headshot of Adam Goslin for the Compliance Unfiltered podcast
January 3, 2025

[Podcast] How to Do More with Your Limited Security Resources