Your first security/compliance certification will be a lot like trying to build a model ship. Not just any model ship — my Dad’s model ship.
When my dad graduated from University, he received a large balsa wood model ship to celebrate the event. This was the kind of model ship that you put inside a glass case. I remember seeing it in our house as a kid, only partially completed.
The model came with limited instructions, which were written by non-native English speakers, and they certainly weren’t designed for first-time model builders. Eventually we moved and my Dad put the model away in storage, where it stayed for decades. After he retired, he pulled it out again and resumed his work.
He is now in the process of painting the hull and installing the masts.
What my father expected would be a straightforward project for a few weeks has taken him decades to complete. It’s philosophically similar to the experience most companies have when they decide to become compliant under a particular security/compliance standard.
If you don’t have first-hand experience or knowledge of running a security/compliance engagement, I guarantee your expected timeline of the effort will be grossly underestimated — by as much as five or six times.
Related: What No One Tells You About Achieving Compliance for the First Time
How Long Is a Typical First-time Compliance Engagement?
I’ve seen organizations take as long as two years to complete their first compliance engagement. Eighteen months isn’t unusual.
However, if you have the right guidance and knowledge at your fingertips — if you’re doing all the right things and you’re making use of all the resources, third-party consultants, and compliance automation tools available — you can realistically achieve compliance certification within six to nine months, on average.
But you’ll only achieve that kind of timeline if you DON’T rely exclusively on the existing knowledge and expertise of your internal team. That’s not a disparagement of your staff, it’s just a simple fact. Compliance is an altogether different field than IT, and it requires a specialized kind of expertise. Trying to figure it out as you go will drag out your compliance engagement by months.
Related: How to Survive Your First Compliance Engagement
OUR Company Won’t Take That Long to Achieve Compliance Certification!
I know it’s hard to imagine that your team could be elbows-deep in a security/compliance engagement for over a year, but it happens all the time among world-class organizations. Here are a couple unexpected reasons why a compliance engagement can drag on.
There’s more to the requirements than you think
PCI DSS requires you to have antivirus software installed and implemented at your organization. You know that you have antivirus software installed and implemented. So you assume that this particular requirement is already good to go, and you estimate zero time for it.
What you don’t realize is that the requirement for antivirus is quite granular, and there are multiple line items that dig down deep into the bowels of your antivirus configuration. You’ll need to ask a multitude of questions, such as:
- What machines need to talk to each other?
- What ports and protocols need to be communicating?
- Who is monitoring the overall system?
- What procedures are in place for handling alerts?
- Are the right firewall rules enabled in order to balance strong protection with optimal business operations?
You likely have processes and procedures that only happen once a month or once a year. You’ll need to get your antivirus system locked down to account for everything you’re doing across the course of a year. And of course you’ll need to test and adjust, then rinse and repeat.
Along the way, there’s plenty of trial and error, knowledge gaps to overcome, and unforeseeable roadblocks to deal with.
And that’s just one compliance requirement. There are hundreds of others.
How Long Can You Wait to Get Started with Compliance?
Compliance impacts your entire business, not just IT
Dipping your toe into the compliance realm is an organizational change. It isn’t just an IT change — it will impact everyone throughout your organization. Yes, there are technical changes to implement, but there are plenty of non-technical aspects as well.
For example, everyone in your company will need to go through some kind of security awareness training. You’ll have contractual obligations, which has implications for your sales and legal departments, as well as the executive level. You’ll also need to have certain language in your vendor agreements, which could impact Purchasing and Accounts Receivable. There will be processes and procedures that involve HR as well. And the list goes on.
The human element slows you down
Perhaps the greatest time suck in a compliance engagement is the cat herding and goose chasing that you’ll need to do. To prove you’re compliant with requirements, you’ll need to supply evidence. That means you’ll need to collect it from all over your organization.
Tracking down that evidence will be a lot like herding cats while on a wild goose chase. You’ll be constantly hounding people to submit evidence, reminders to submit their evidence and then constantly looking for that evidence in about a dozen different locations. Most of your time will be spent chasing files, or spending hours (literally) just trying to understand the current status of your engagement.
What Are Some Ways to Make the Process Better?
I said earlier that you can reduce your time to as little as six to nine months — IF you truly have your act together and you’re entering your compliance engagement with both eyes open. Here’s a few best practices to help you cut your engagement time.
Hire a Consultant
This isn’t an option, as I see it. Get outside help, or go through a long and painful engagement. Hire a compliance Consultant who has a depth of expertise in the compliance standard(s) your organization needs to implement and maintain.
Consultants are invaluable resources to help you to coordinate, orchestrate, and organize your compliance engagement. They’ve been there and they know what they’re doing. A good Consultant has seen it all before, and they know how to maximize efficiencies so that you can accomplish more in less time.
- They have the expertise you need within reach — you don’t need to find the answers yourself.
- They know the pitfalls you’re likely to run into and can help you avoid them.
- They’ve done the trial and error before, and they know what works and doesn’t work under various scenarios.
- They have a workflow and a set of processes to optimize efficiencies — and they can modify them to fit your company.
Making use of a compliance Consultant can dramatically cut your engagement time — perhaps by months. This is the single most significant human resource you can take advantage of in your compliance engagement.
Use the right compliance tools
It takes a Herculean effort to manage compliance in any organization, but the right technology can free up time, energy, and effort (not to mention expenses). But not every solution is created equal. If you choose the wrong tool, you can get locked into it as you add other compliance standards to comply with.
And that means you’re only multiplying your pain.
Most organizations choose one of three types of tools to manage their compliance engagements:
- Spreadsheets — which quickly prove to be clunky, overly complex, and more of a hindrance than a help.
- The Assessor’s proprietary system — which is fine, if you only use one Assessor, never leave your current one, and don’t mind someone else controlling your data
- A full scale GRC solution — which is like using a hand grenade when you only need a fly swatter
Instead, I would encourage your company to consider using TCT Portal, which is designed specifically for managing compliance engagements, and nothing else. TCT Portal can reduce your manual labor by as much as 65 percent, paying for itself multiple times over in the first year you use it.
TCT Portal alone can be a game changer, reducing your compliance engagement by hundreds of wasted man-hours.
How Does TCT’s Compliance Management Software Compare to the Competition?
Do your research ahead of time
The biggest task right out of the gate is simply figuring out everything you need to do to become certified under the security standard you’re going up against.
If you’re doing a Level 1 ROC under PCI DSS, you’re looking at hundreds of items that span the entire scope of your business. That means you’ll have to understand what every single requirement means and how to fulfill it properly.
Will your existing configuration pass muster under PCI or not? Will it check all the boxes during the assessment? If not, what changes do you need to implement to satisfy the Assessor?
Related: Your First Compliance Audit: Will You Crush It or Get Crushed?
Compliance is complicated. You’ll have configurations that you think will satisfy requirements that don’t. You’ll mistakenly think you understand particular requirements. There will be hidden landmines that you stumble across. You’ll believe something is complete, yet you don’t have the right evidence ready to go.
The length of your engagement will be shortened if you can accurately categorize the items that are good and the ones that still need work.
Assess your current compliance readiness
How much of the framework is already in place? The more that you’re already doing well, the shorter your engagement time.
Most companies start their first compliance engagement thinking that they’re mostly compliant already, and that they’ll just need to make several minor changes to get the certification. They believe that if they knuckle down and plow forward, the engagement shouldn’t take more than three months, tops.
These companies tend to grossly overestimate their compliance readiness.
For the average company, walking into a full-blown PCI engagement, you could expect about 25 percent of your requirements to be in place already. Another 40 percent will need some modification or changes to be made. That means about 35 percent of the PCI requirements are completely missing and you’ll need to fill those gaps.
Make Your First Compliance Engagement Suck a Lot Less
If you’re looking for a set of straightforward instructions to become compliant for the first time under a security standard, you’re going to be disappointed. There’s no defined path that makes sense and gets you clearly from Point A to Point Z. Every company’s path is different, and you’ll have to figure it out on your own.
That said, there are some best practices to follow. Get a good Consultant, use good technology, make good decisions early on, and you’ll have a successful engagement that can be completed in less than a year. That may be a lot longer than the few weeks you’d like it to be, but it’s a hell of a lot better than the average company’s experience.
Compliance management sucks, but with TCT’s help, it can suck a lot less.