Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Consolidating Compliance Tools
Quick Take
On this episode of Compliance Unfiltered, we jump headlong into the topic of getting more efficient through by consolidating your organization’s compliance tools.
- Ever wonder why companies have such a litany of compliance tools?
- Curious as to the implications and potential pitfalls of using multiple tools?
- Ever thought, “What are the benefits of consolidation in this arena?”
Then this is the episode for you! The guys will cover all this and more, on this week’s Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man who is the chocolate to your compliance peanut butter. Mr. Adam Gosling, how the heck are you? I’m doing good, Todd. How are you? Man, I can’t complain. I’m actually extremely excited because today we’re going to talk about one of my favorite topics in the world, and that is becoming more efficient.
We’re going to chat today about consolidating compliance tools.
So tell me, Adam, more specifically about why organizations have just a plethora of compliance tools today. Well, for many organizations, when they get started, more often than not, you end up starting with one cert. I have an organization that I’ve worked with for the better part of a decade, and started off with one certification, and next thing you know, people started clamoring for another certification to get added to the mix, and so poof, they end up layering in a second certification, and then a third, and then a fourth, and whatnot. So as organizations find themselves in that position of going out and saying, okay, well, we want to get compliant with fill in the blank. A lot of times there’s tools out there that are specific and purpose driven. for a specific standard. And so, you know, they go and they pick up that tool and now they’ve got this new standard and their existing tool doesn’t handle it. Or maybe they built something internally, you know, specifically for, you know, fill in the blank compliance standard, you know. You know, the other problem is that as they, you know, as organizations grow, more often than not, they’ll start with, you know, kind of doing these things themselves and then having to start layering in assessors for one or more of the compliance standards that they have. So now not only do I have, you know, kind of like, I got this tool for the standard internally and I got that tool for this standard internally, but you know, now I’ve got one, two. three different assessors that are floating into the mix. And every single one of those assessors has their own favorite tool and possibly even their own, you know, that they built for their organization. So, you know, every single time you’re throwing these new tools into the mix, you know, the organizations don’t, they don’t really realize or notice that the incremental layers of inefficiency. And, you know, as they’re going through that process, you know, they just, they’re in this auto mode, right? Oh, well, you know, last year we did our stuff this way. So we’re just going to do the same thing again, you know, and everybody trundles off down the path and, you know, and whatnot, and they don’t even question it. And, you know, I’ve, you know, I’ve always held this notion, you know, which is part of the reason why we, you know, why we built the TCT portal was that, you know, it was that if you’re the one that’s going through compliance, then you should be making this process as efficient as you can for yourself. You know, the folks that you work with, your consultants and assessors and all that fun stuff, yep, they’ve got a job to do, you know, for sure. But, you know, more often than not, organizations will, you know, kind of, you know, out of whatever the, you know, whatever the assessor is telling them to go in and do. And if that includes, you know, oh, well, we’re going to need you to go put all your stuff into this special tool, you know, then they’ll just go ahead and do it, you know. And meanwhile, you’re just shooting yourself in the foot. You’re making yourself more and more inefficient every single time that you’ve got to go, you know, got to go do this. So, you know, certainly if you can take the opportunity, the number one, internally reduce those compliance tools, you know, down, you know, then that’s a good thing. And certainly if you have the opportunity to be able to leverage a toolset that will work both with your organization and… with your various third parties like consulting groups or, you know, assessors, etc, you know, then, hey, you’re all that much better off, you know, certainly for any of the listeners, you know, that are, you know, that are looking for, you know, a kick-ass referral to somebody that’s in the consulting arena or the assessor arena that can assist them and, you know, share in the same tool set. You know, we know a lot of people in the compliance space, so I’d be happy to go ahead and, you know, kind of introduce people, you know, to cool folks to work with.
One of the things that, I don’t think I’ve ever brought it up on the podcast before, but it’s one of the things that I’ll tell people regularly is that the way that TCT works is, that we don’t take like referral fees or spiffs or whatever when we’re referring somebody. I’m looking to give somebody a referral to someone that’s going to do the job, do it well, all that fun stuff. I’m not interested in kickbacks and things along those lines. So there’s nothing in it for TCT other than just trying to get folks connected up with the right individuals that will be able to truly help them with whatever their needs are. So certainly if the listeners are looking for something, someone or a solution, whatever, they can go hit us up any time. We’d be happy to give them a hand.
Tremendous stuff. Now, what are some of the implications of using multiple tools? Well, we kind of do it briefly, kind of blushed against it, if you will, as we were going through the overview, but it’s not fun when you’re using a whole bunch of tools to accomplish compliance. But the pain goes beyond just annoying. When you’re wedded to a bunch of different tools for getting through your compliance, you’re actively embedding numerous problems into the health of the organization. And some of those big offenders, certainly a diminishment in productivity. So it’s really difficult to manage everything when you’re using all these different tools. If I’m going up against four different certifications, well, now, if I’m looking for a particular piece of information, well, now I got four different locations I’ve got to go to. Not only that, but you’ve got some organizations that they’ll have one certification that’ll pop up in April in the calendar year. The next couple of their certifications are in June. Pop up. in June and then there’s another one that floats in October, you know, so certainly if you’re running multiple certifications across, you know, on differing schedules over the course of the year, you know, now you’re also in this process of effectively pulling the same evidence, you know, multiple times all year long, you know, against all these various different certifications, you know, the same evidence has to get into all, all of these various tools that you’re leveraging for these like in this case, for example, four different certifications.
So there’s just a ton of redundant work, redundant effort that kind of goes into that mix. Certainly one of the complications in this arena is just never ending training time and cost associated with training people on all of the different tools that we’ve got. You know, I got four different tools. I’ve got, you know, four different systems. I got to go train people up on how to use all that fun stuff every time the certification is changing or the tools changing. Now I’ve got to go back and do retraining, you know, and whatnot, you know, training for, you know, for just one system can be tough, but you know, you start getting into multitudes of these tools, it’s really, really difficult. You know, every time that you’ve got a new employee, you’ve got to train them on all these different compliance systems. And, you know, the more you have, the more likelihood they’re going to need retraining just because there’s so many different fricking tools out there, you know, it’s a drain on your trainer. It’s a drain on the trainees you’re trying to get through and increases the operational cost to the organization.
Speaking of which, you know, just cost alone. When you’re talking about acquiring, you know, different kind of compliance specific tool sets, you know, now you’ve got the costs associated with, you know, with all of these various tool sets that now I’ve got to go ahead and, you know, go ahead and bring into the mix. You know, oftentimes it’s hard to get, it’s hard to, in fact, I think we did a good episode on this back in the day was, you know, hey, how do you talk to your CFO about, you know, justifying why does this make sense, right? You know, it’s hard enough just to get him to, you know, get him to sign off on one of these fricking systems. but now I’ve got one for this cert, one for that cert, one for the other cert, and all these dollars and costs and whatnot popping in. It just gets progressively more difficult to justify the multiple purchases that you’ve got to do. You think about it, for most organizations, they aren’t gonna use multiple CRMs for differing sales funnel. They aren’t gonna use different HR systems for every department. They’re not gonna use different accounting tools for different accounting functions, so why the hell would you use multiple compliance tools to get through your compliance? It doesn’t make sense, you know what I mean?
No, for sure. Now, what are some of the advantages of consolidation? Well, when you consolidate everything down into one system, I look at it this way, consolidation in a couple of ways. One system and do it all at one time is really the objective. With the TCT portal, I named the company appropriately. I called it Total Compliance Tracking, and I did that for a purpose. It was, I wanted a single system to be able to handle any form of industry standard compliance. And so when you do that all within the same tool, now you’re cutting down on time, frustration, cost, really you’re able to see those results right out of the gate. There’s a couple of different things that the TCT portal can help with. And that is when you’re going through multiple certifications at the same time, first I recommend organizations go look at the timing of all those various certifications. Certainly if you can consolidate the timing of when you’re pulling evidence and then go pull it once, but leverage it multiple times for the various certifications that you’ve got, that certainly is substantively easier. And if you are consolidating that data collection down into kind of single draws, now I’m going in and I’m gathering up this information one time, but I’m using it across each of my various certifications simultaneously, that will make things substantially more streamlined and cost effective while making sure that your data isn’t stale. Because one of the problems when you’ve got these different cycles for different certifications is that the assessors really want to see something that’s relatively fresh. They don’t want to see data from nine and a half months ago, they want to see data from the last two or three months at max. And so if you can consolidate all of those polls, now I use it all across my certifications. Now the assessors are on, if the assessors on board, they’re happy because now they know they’re gonna have fresh information and fresh data right out of the gate that they can use across all of their various certifications. It’s certainly a heck of a lot easier. Depending on the compliance management tool that the organization’s using, you also have opportunities for doing certification mapping. So when you look at any given certification in this compliance space, there are a lot. of items that cross over. So I often will talk about PCI, and part of the reason I like the structure of PCI and have for a long time is it’s an extremely prescriptive standard. It’s very specific about what needs to be done, specific about how you need to do it, etc. And because of that specificity, it allows you to leverage the information you gather against those PCI controls on secondary certifications, which may not be as prescriptive. So HIPAA is an example. It’s very directional in terms of what needs to be done. And that was with purpose back in the day. I mean, HIPAA was trying to serve everything from a single doc office practitioner to an entire health system type of thing. So they had to be more broad, but using your more prescriptive standards like PCI allows you to go in and leverage the mappings from that prescriptive standard off to your secondary standard. So now you can have the tool working for you where it’s able to go in and do mappings between your various certifications so that when you’re going and loading in your evidence, now I can go ahead and automatically map that off to the standards that you’ve got. And depending on what the organization is doing, if I’ve only got two certifications, well, maybe it makes sense to just map the two certifications together. But if I have four or five or six different certifications, well, then there could be another alternative option, which is also capable through the True TCT portal, is the ability to create a, we call it customized certification, where it’s effectively a customized singular request list of items that are needed to cover your various certifications. and then you use that to map off to the certs. So we’ve got a lot of opportunities for ways to do streamlining, but certainly it doesn’t make any damn sense to sit there gathering up your information security policy and then having to map that against a multitude of certifications. It just doesn’t make any damn sense to go ahead and do that.
The other area that I’d recommend for kind of consolidation, consolidation with your compliance, is as your number of certifications grows, take a look at your assessors. Some organizations, whatever. We started with PCI, so we got a QSA and now we wanted to layer on ISO. Now we wanna layer on SOC. Oh geez, well, the assessors aren’t an accounting firm or part of the ICPAs. So now we need to go ahead and pull somebody else in type of deal. At a certain point in the game. make sure and I’d recommend to folks do this kind of mental assessment each year as you’re going back into your new compliance cycle is take a look at your mix of you know of assessors that you’ve got, because certainly the more you can consolidate those, those assessors down certainly the less tools you’re going to be dealing with the more optimization that you can go ahead and integrate into your into your overall program you know and you know the tool choice which we’ve kind of pinged on that several times you know certainly if you have these purpose-built you know certification tools you know it’s challenging to be able to do, do some of the things that we’re talking about. But when you’re using a tool like, like, like we built for Total Compliance Tracking you know it’s literally purpose-built to be able to have the flexibility to you know to go and map your items across any industry standard certification you know type, type of thing so you know it’s, it’s nice if you can consolidate the assessor pool down into maybe a single assessor or instead of three assessors bring it down to two whatever you can do to kind of optimize that, that look then that will certainly gain tremendous, tremendous efficiencies for the organization that’s attempting to you know to kind of go down this path.
Any parting shots and thoughts for the folks this week Adam? Yes sir you know the, the reality is, is you know I hate, I hate it when organizations are just blowing time, wasting time, spending their you know resources needlessly etc. You know so I can’t I can’t begin to underscore enough the importance for organizations to go through do that kind of gut check assessment of you know their current state how could they make improvements etc you know certainly you know certainly I’d be happy to go ahead and chat through circumstances with folks, give them some directional guidance, etc. We spent about two years designing the TCT portal before we even start building it. And then we built it from the ground up so that we would handle all these various types of certifications. You know, the reality is that it is built for the singular purpose of making compliance suck less, you know, for the poor folks that have to, you know, have to deal with it, you know, and certainly optimizing your overall. security compliance program, leveraging a, you know, consolidating those tools down into, at best, a singular tool, you know, that you can both use internally and with your, you know, various partners that are, you know, they’re helping you, whether it’s consultants or assessors. If you can achieve that, oh my gosh, you are going to get some absolutely phenomenal, you know, efficiencies built into your, you know, into your overall program and honestly the benefits of being able to do that. It’s bigger than just, hey, we, you know, we want to try to save time on our compliance. You know, the ripple impacts are huge, right? You’re not burning up as much time as some of these other resources within the organization. You’re allowing them to do what they need to do far more efficiently than they were doing before. And, you know, you may be able to conserve enough time, you know, through that optimization where maybe you can put off having to hire another warm body.
Maybe you can, you know, reduce the stress levels of your existing personnel. There’s a lot of reasons why it makes sense to go through and, you know, optimize your, you know, your toolset and your compliance program that’ll have far, far, far broader reach impacts than simply the compliance team. It’s really going to help you in a, across the organization in a number of different departments.
That right there. That’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
