Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Do NOT Listen to This Episode… If You Have High Priced IT Talent Just Sitting Around
Quick Take
On this episode of Compliance Unfiltered, the CU guys take a tough look at the topic costly time wasting and inefficiencies in the IT arena.
Having high priced resources, or “Gearheads” as Adam affectionately calls them, stuck in processes that cost organizations time and money, is a killer.
Curious if security and compliance resources are considered high priced? Wondering where most of the time wasting resides? Trying to figure out how to cut those costs?
You’re in luck, all these answers and more, on this week’s Compliance Unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process.Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the corn on the cob to your compliance barbecue. Mr. Adam Goslin, how are you, sir?
Oh. I’m doing great. You know, I can’t wait until the, the, the corn comes back out again. It’s, it’s, it’s gotta be a, we still got a couple of months on, on that for the real local fresh stuff. But man, oh man, I’ll tell you what, that’s, that’s a good time right there.Yes, sir. You are.
Yes sir, you are not wrong at all. Now, we’re gonna do things a little different and start this one off on a different note.The title for this episode is, if you have high-priced gear heads just sitting around with nothing to do, do not listen to this podcast. So I think the title speaks for itself here, Adam. Do this one up for us.
Well, I’m just sitting here and, you know, envisioning, you know, you got, you got this company right now, all of their really expensive, you know, technical folks that carry high price tags. They’re just sitting around there, they got nothing to do, they don’t have any projects. You know, you go walk back into like the, the IT area and they’re, you know, they’re playing various forms of online games and card games, maybe they got a poker game going back there or something, who knows, you know, their backlogs clear, there’s nobody on the business side wants for anything. The ticket responses are handled in seconds, you know, and, you know, the company likes this group of gear heads so much that they’re just perfectly willing to pay them to sit around and they have all sorts of free time on their hands, you know, it’s like the best part is, is that for any, for anybody that didn’t find themselves in that position of having the high price gear heads sitting around with nothing to do and is actually listening to this podcast, um, you know, they’re all laughing because they know damn well that the, the high price gear heads don’t ever have enough time on their hands.Um, you know, et cetera, um, that they’re usually, uh, overworked and there’s not enough hours in the day and you’re in a position to having to prioritize the, you know, battalion list of things that you want to go get done with the gear heads, but you just, you literally don’t have enough resources. And so that’s why we kind of, you know, we’re doing the, you know, doing the tongue tongue and cheek play on the, you know, the title for this one, because I, I would be shocked if there was any, any company that was sitting around that was, you know, that just happened to be in this position.
Yeah, no doubt about it. Now on security and compliance engagements, is it typically high priced resources? There’s typically high priced resources involved there, right?
Well, yeah, because if you think about it, you know, and really we’re looking, this discussion is coming from the perspective of an organization that’s subject to compliance, you know, not so much the, you know, kind of the consultants and assessors of the world, but for those that are going through compliance, the folks that are on the, you know, on their team that are the high-priced gear heads, as I affectionately call the, you know, the crew in IT, if you will, you know, they are usually at the center of the overall engagement. You know, they’re the ones that have their, you know, hands in the midst of, you know, all of the scoped, you know, scoped elements of the security and compliance engagements. They’re the ones that are the, you know, they’re the gatekeepers, they’re the firewall admins, they’re the network administrators, they’re the, you know, the developers, the architects, the DBAs, the day-by-day IT people, the, you know, the folks that are on the internal security team. And like, that’s the group we’re talking about with the, you know, high-priced gear heads.And yeah, that contingent on any normal engagement is probably responsible for, uh, but 80, 85% of the scope of the engagement. So yeah, I mean, it’s, yes, typically it’s these high-priced resources that are at the center of it. Now the high-priced resources, certainly, you know, depending on the size, the scale of the organization, they may have some underlings that can go and grab stuff, et cetera, but you still have the high-priced resources. They have to double-check QA things before they, you know, before they go through, et cetera. If they’re lucky enough to have a capable contingent of underlings that can go off and, you know, kind of accomplish some of the things on, you know, in terms of the evidence gathering, question answering, et cetera, you know, that’s done in, you know, in the operational nature of the security and, you know, and compliance tasks. So yeah, those high-priced resources are usually right in the thick of it when it comes to the, you know, comes to the security and compliance engagement, you know, each compliant cycle.
Yeah, I would imagine so. Now, where is a lot of time wasted on these security and compliance engagements?
Well, you know, if you, if you think about the atypical things that, you know, the, that will happen on a security and a compliance engagement, um, you know, the, the, the organization, you know, the organization, you know, there’s, there’s several things that are happening, you know, during, you know, either, you know, during the, you know, during the course that you’re like, once you get to compliance season, sorry, not compliance season, but once you get to assessment season is what I mean. So as they start to prepare for, and then to get through their annual assessment, you know, they’ve got, they’ve got a lot of things that are, you know, primarily a gigantic waste of time, which by the way, uh, I can tell you, I can tell you from firsthand experience that the gearheads are not a fan of a number of these, uh, we’ll call them necessary evils, uh, you know, on, on one of these engaged, there’s nothing, there is nothing that’ll grind, uh, forgive the pun grind, grind the gears of the, uh, of the gearheads more than sitting around in meetings.So, uh, you know, that, that, that makes them particularly appreciative of a secure, a good old fashioned security and compliance engagement, because, you know, there’s, there’s prep work. It has to go into, you know, a lot of times people will establish, you know, kind of like a weekly meeting, right? Well, it’s not just, we’ve got this weekly meeting on the books, but it’s, I have to get prepared to go walk into the meeting. Where’s my stuff at and which items are done. And if I’m waiting on anything, then why am I waiting on it? You know, why isn’t this done yet? Uh, you know, I, I, you know, get gathering up of evidence, getting it in, whatever it may be, there’s all sorts of things that happen. And, but just getting prepared for the weekly meeting, it’s on a smaller scale with a lot of the participants, but it’s certainly on a larger scale, uh, with the poor soul at the company that got the nod of being, you know, what I love to call the eye of the compliance hurricane, AKA, fill in the blank, pray the, the project manager, the head of it, your compliance, internal compliance person, you know, et cetera, whoever got that nod for having to coordinate all of this crap, they’re the ones. Yeah. The lucky one. Right. Uh, they are the one that ended up blowing the most time, but everybody on the damn team, just trying to get ready for the meeting is an act in and of itself, let alone that now we’ve got the time that we’re actually going to sit down and the weekly meeting. Well, out of the gate, you know, out of the gate, um, you know, when, when you’re first going through compliance, et cetera, Oh, I can tell you from firsthand experience living that nightmare that, you know, you, you’re, you’re sitting in these meetings for, let’s call it an hour of pop, you know, an hour a week for the, you know, cause the weekly stat internal status meeting, you know, type of a thing.
The best part is, is that as you start to come to that crescendo of the, you know, we’re right in the thick of it. We need to get all of our stuff in and, you know, the assessor’s jumping up and down because they need all their stuff and they need it by here so that their resources can go through and do what they need to do. You know, there’s like this, this, uh, push that ends up happening. So you end up actually elevating the meetings where you were going like once a week for the, you know, for your internal meetings, now, maybe we do it twice a week, sometimes it’s three times a week, some organizations will say, screw it, meet every day, just to keep things moving.Um, it gets, it gets brutal, man, as especially as you’re starting to really get into the thick of it. Um, you know, you take a step back and, you know, and, and you say to yourself, there’s two different, you know, two different elements that’ll typically come into play for an organization. That’s trying to, you know, kind of do this on their own. And one is that they need to generate a place to store all of their stuff. Um, you know, for, for a lot of organizations, though, you know, whatever their chosen us, whoever their chosen assessor is, maybe the assessor says, Hey, you’re going to need to go put all of your stuff here. Well, it’s not a brilliant idea to just use the assessor’s system because guess what, sometimes, uh, sometimes assessors either move on or are moved on. Um, you know, and you switch assessors. Um, you know, you don’t want to put all your eggs into that basket only to evaporate the only location of storage and archival for your stuff.So typically what happens is for the organization going through it, they’ll create their own storage system internally. Uh, but then they’ll get over to the, you know, over to the assessor, but somebody’s got to go build out that, you know, where are we going to put stuff and how’s it going to get organized, et cetera. And in related to that, uh, you know, each year or whatever is somebody sitting down and saying, you know, this is going to be our process for, you know, going, collecting up information. How do you pass in your updates? Who’s making the updates to our central? Usually it’s an Excel sheet, you know, something along those lines that ends up getting leverage. Who’s going to update the Excel sheet? Are we going to have 40 different people updating the Excel sheet and stepping on each other’s toes and, and, uh, you know, crisscrossing updates, et cetera. Or is that a poor soul that we nominated as the eye of the compliance hurricane, just getting, you know, absolutely f’ing bombarded by everybody with, you know, Hey, I did this. Hey, I did that.
And they now have to go in and be the singular point to go make all the updates, whatever, you know, different companies do it differently, but you know, you need a place to put your stuff and you need to have a, uh, uh, you know, some type of a framework for how are we going to go about doing this from a process and procedural perspective each year, you know, the, the other things that come into play. Um, so one is just the people that have to go in and collect, you know, up all of the various pieces of evidence. There’s time that they’re spending collecting up that evidence, trying to figure out what it is that I need to provide? What did I provide last year? Uh, you know, things along those lines, those, all of those elements kind of come into play.So for those doing the evidence collection, you’ve got activities that are spent around all of that. Um, some again, they usually it’s whoever they nominated as the, you know, we’ll call it the eye of the eye of the compliance hurricane. Um, you know, that poor soul is the one that then gets everything organized, right? Um, because when you’re on these engagements, it is an effing nightmare. It’s just a nightmare. Um, you know, I can go and lay out, lay out this process. Hey, everybody go put your stuff here and update Bob and, you know, and, and, you know, tweak this lever and blah, blah, blah, blah. I can have this amazing process. Do you think that everybody’s going to follow it? Oh, hell no. You know, there’s people that are walking by you in the hallway and say, Hey, remember you told me to grab you, blah, blah, blah. Yeah, I put it, I, I sent you an email about that. You know, and then you’re sitting in a meeting about HR, you know, some HR topic or something, meanwhile, somebody’s giving you an update on what they did with their, you know, with their compliance management stuff, they’re sending you text messages, they’re calling your desk phone and leaving you messages. They drop it onto a place on the network that they have access to, uh, and tell you where they put it, you know, or, or, or, and you’re, you’re literally, you’re just, you’ve got all of these people just, it’s like health or skeleton, they’re doing everything under the sun, you know, and they’re in 18 billion directions and, you know, blah, blah, blah. So just organizing the evidence, be, you know, collecting that all up and keeping it in one spot and keeping it an organized state, whatever, that’s a job in and of itself, and then we haven’t even gotten to the fact that now with all of that crap that’s going on internally, now I need to sit down with the assessor and talk about, you know, what the status of different items, et cetera, that are all, you know, that, that, um, you know, that are supposed to be getting headed in their direction. I think that I’ve sent it to the assessor. The assessor’s not sure that they got it. Oh, wait a second. No, the assessor got it, but they rejected it, but some, someone so missed the memo that they rejected this particular item, uh, you know, uh, and whatnot, uh, you know, asking questions about, well, why did you reject it?
Or why isn’t this good enough and, and, and so just, just simply trying to make sure that you’re staying in lockstep with your assessor, uh, as you’re going through this process, that, that is another realm unto itself, you know, if you will, it’s, it’s brutal, man is, it is brutal going through and, and, and doing these things, you know, and whatnot. So there’s, there’s a lot that plays into it.
Well, I guess that kind of leads to the question, like, Rick, what could these organizations be doing differently with their programs?
of all that is holy and true, do yourself a favor, step away from the F and spreadsheet, step away from your SharePoint, step away from your homegrown systems and blah, and head toward some form of a sane sensible compliance management system. These tools were built to be able to alleviate the crap on these engagements that is an utter waste of time, stepping into the space of compliance management tooling.I’ve told this story several times before on the pod, but the TCT portal is TCT’s compliance management system. Honestly, it is the system that I wished I had when, number one, I had to go through my very first security and compliance engagement and experienced all of these things that I’m talking about that were mind numbing waste of time. Then for me, I stepped out of that arena to go help people in the security compliance management space and I have spent now north of 15 years doing nothing but helping organizations navigate the waters of security and compliance. The first, unfortunately, about the first, I want to say six years or so of that, I was still forced to leverage all of the things that I mentioned earlier, the Excel spreadsheets and drop zones and file shares and I was the eye of the compliance hurricane across numerous, numerous engagements. Quite frankly, it’s the reason that we built the TCT portal. Honestly, if everything that I’ve been talking about so far, you’re like, yeah, yeah, yeah. Then just do yourself a favor and go look at a compliance management system because it will save such an astronomical amount of pain. It’s not even funny.
What type of savings would a typical organization see in their first year?
Well, you know, for, you know, for, for organizations and what I, you know, what I’ve done, I kind of went into those buckets I was talking through earlier and I want to note for the record, I’m going at this from the perspective of a very small team, handful of individuals, you know, one compliance standard, that type of thing. You know, the reality is, is across, you know, on a small engagement, you know, you’ve got, you know, the status meeting preparation work, you’ve got weekly internal meetings, the creation and process development of how we’re going to go in and do this manually, we’ve got the evidence collection and tracking, we’ve got organizing of the evidence and the time that’s spent with the assessor, even on the very small list of engagements, you’re talking about, you’re talking about over 300 hours for an atypical run at compliance.And you know, when you, when you, when you look at it from that perspective, now I want to make sure that the listeners are on the same page as me. And that is that now when I’ve got multiple standards, multiple assessors, a bunch of people that I have to go in and collect evidence from more than one, you know, the more than one assessor is across by more than one framework. I have complications like a whole bunch of locations, you know, that I have to go in and collect evidence from as soon as you start layering all of these things on, you’re moving from hundreds of hours into many hundreds of hours, if not more than likely thousands of hours all told across the team. I mean, we’re, we’re talking about a lot of F in time that’s put toward these engagements and it all adds up pretty quick. So you know, your question, you know, your question for me was, you know, what kind of savings can they see? Well, that organization that’s got, you know, officially when I, when I, when I kind of tallied up my numbers for a small team, I came up with about 325 hours, right? When we’re in the first year that you’re going in and you’re, and you’re using a compliance management system like the TCT portal, you literally can cut that number to a third of that. So in other words, instead of 300 and change hours. Now you’re just, you know, just north of a hundred hours that you’re spending on, you know, spending on these compliance related tasks.I mean, it is a, it is a really, really, you know, really, really big deal when you get into leveraging this compliance management system, because, you know, now I’m able to do things like, you know, we talked about, you know, kind of preparation for the status meeting. Well, I mean, think about it. You’re using a compliance management system where everything lives. You know, I don’t need to worry about whether or not the person, the gatekeeper that I went to, handed the evidence to actually update the central tracking system or not, the act of attaching and moving it through the workflow in the compliance management system.
That’s live information. So the time that I would just pour down the drain every F and week before every F and status meeting is gone. I can literally go and walk into my weekly internal status meeting, not needing to prepare my status, but instead I can walk in, I got live status. So that’s eliminated.Usually what I’ll see through the use of a good, or a good compliance management system is those kinds of weekly internal meetings. Those go now from an hour per meeting. We can easily get those down to like a half an hour per meeting. We’re not, we’re not trying to figure out where things are. Instead, we’re trying to figure out what we need to do? And so it’s a really big shift. Uh, you know, these organizations, they don’t need to spend, uh, a chunk of time every year with, uh, you know, creating their storage systems, having to manage, manage, manage, maintain, train their personnel on the process. They’re going to go through with their, you know, kind of manually clung together system, um, you know, all of that’s eliminated.Even the, you know, the evidence collection and tracking, uh, you know, uh, activities, those now make no mistake. A lot of people are like, Oh, so, you know, you just go use this compliance management system, poof, everything’s just magic. Well, no, it’s not poof magic. Uh, what it is is that the compliance management system is offloading all of the utter waste of time that you’re going to, that you’re putting in on these engagements, make no mistake, there will still be a chunk of time related to the gathering of your evidence, et cetera. However, that gathering of evidence now is markedly more streamlined because now you’ve got instructions for the people that are doing the evidence collecting. They know exactly what it is that they need to go in and grab and gather and garner your eliminating questions and delays through that process.So, you know, you can usually gain about 25% efficiency on the, at the actual evidence collection time. Uh, you know, but the time that was used to be spent having to, you know, kind of gather all the evidence and make sure we had all the stuff in the right spots. And I talked earlier about all the different plethora of ways that people were winging evidence at me back in the day, you know, that’s eliminated. So all of that time goes away. Uh, and the time that you would spend with the assessor, you know, trying to figure out, you know, did we send this in? Did we not send this in? Did you reject it? What did you say? What was the reason why? Again, it’s all in the system.It’s when you get into this compliance management tooling arena, when you haven’t been in there before, it is like, it is like clouds, part angels, I’m not joking, man.
I, I, I, I, I wrote the tool I wished I had, uh, you know, and whatnot. Now, the one thing that I will tell, uh, you know, tell the listeners is if you go out the short form to get to the TCT website is go to, uh, get gettct.com, uh, and hit the enter and that’ll forward you over to our, you know, uh, ROI calculators and what I’m looking at right now is I’m looking at the, uh, ROI calculator for applicants in our world, people that are applicants are those organizations that are applying to be certified.Um, so we decided to call them applicants in our world, but, uh, go ahead and hit the run the numbers button there. And you’ll be looking at the, the ROI calculator, which kind of gives you boxes for, you know, filling filling thing in different, you know, hourly amounts, et cetera, uh, but that way you can take a crack at, you know, kind of comparing, you know, your scenario, your situation, um, you know, to what would it look like if you were leveraging a, you know, a, a, a good solid compliance management system.
How big of an issue is turnover when it comes to the high price resources that we’ve been talking about?
Oh, dude, you want to talk about one of the most painful things that these organizations would have the joy and honor of going through. We get the luxury of just talking about the pain they’re going to experience in terms of an experienced gearhead that was central to compliance. The impact to compliance is going to be a big deal, but I guarantee you that these high-priced gearheads, turning one of those folks over in any organization, it’s painful, period. I’ll focus in on the impacts to compliance, but it’s a big effing deal.As you go through year over year, as you go through compliance engagements, especially if you have somebody that’s been involved for the last two, three, four years type of thing, they know the questions that they’re going to get asked. They’re used to being part of the process. They become familiar with, well, what evidence do I need to go grab, and where do I need to go get it from? In a lot of this, it almost becomes tribal knowledge to these individuals, and they end up gaining a lot of boots on the ground experience with how to navigate the waters of your security and compliance engagement. The minute that you have turnover of one of these central figures to your security and compliance engagement, oh my, is it? It is a gigantic deal because you’ve got to go through, and again, I just focused on the security and compliance aspects of it for your annual engagement. It’s gigantic because now I got to go get some noobs in, what? Maybe you have a couple, at best, a couple weeks of crossover between your experienced gear head and your noob gear head, and what, in two weeks? If you think the organization’s going to spend a modicum of time trying to play transfer of the compliance crap, you’re dreaming. Basically, their goal, their objective is really, we want to get the operational knowledge transferred from experience outgoing to the noob type of thing. Their focus is primarily going to be on operations, and likelihood for the compliance folks, and I know damn well they’re sitting here listening to this and nodding their heads. The poor compliance folks, they literally, get to experience Groundhog Day every time that one of these resources turns over because now they got to just say, we’re starting from scratch, baby. We got nothing, and now we got to go and teach this person all of the stuff that I’ve been showing the experienced person for years, we get the joy of starting over. It’s just all the way around. It is unbelievably painful. You think about it with where the economy seems to be at these days, there’s high demand for folks that are the high priced gear heads of the world. They’re starting to get under extremely high demand, so I’m positive. We’re going to see a bunch of movement in the space, and the unfortunate part is usually when you’re flipping resources and whatnot, it’s usually those you can afford at least to lose are unfortunately the ones that typically are the ones that go.
I expect that we’ll see a lot of organizations with high priced gear heads that are going to be flipping over, and unfortunately, I know damn well that it’s going to be extremely painful for them.
Now, what happens in a year like year two and beyond as far as the savings is concerned?
Sure. So, you know, if you think about it, the year one on a compliance management system, this is really, this is your first opportunity to start, you know, kind of gaining, you know, gaining some ground, gaining adoption of the, of the compliance management system, probably for the organization, the first time ever that they know all of their explanations, file attachments, everything they use to go support their annual compliance run is actually all in one spot. You know, which again, that’s why I was saying earlier, you know, once you get into this space, you’re using a compliance management system to run your program. It is like the clouds part, the angels saying, et cetera, because for most of these organizations, they haven’t experienced, you know, actually having everything in the same spot at the same time is usually spread all over the fricking place.You know, when you, when you get into that year two, you know, you get to, you get to a point where you get to a point where really your, your man hours really start to, you know, really start to get shaved down. There’s a couple of intrinsic benefits that happened in that year too. Well, now I’ve got this rock solid repository of evidence from the prior year. You know, when, when, when they, the, when the users are going in and leveraging it for the first time, you know, the, yes, they’re able to take advantage of things like, you know, clear, clear descriptions of what it is that they need to go grab. You know, they’re, they’re able to review some helpful notes, et cetera, from maybe their assessor or from their security compliance consultant, you know, type of a thing. So they’ve got these kinds of helpful tidbits in there, even out of the gate. But once I get to year two, the other thing that they’ve got, which is huge, is that now I have ready access to precisely what was delivered last year. Well, it was the evidence that we attached to this particular item last year. You know, it’s sitting right there. It’s at your fingertips. So now instead of just reading the description of what’s needed and still consternating about, well, which evidence is going to work into the, I don’t need to go through any of that. All I have to do is go look at last year. Now, you know, you, you think about, you know, you think about it from the perspective of, you know, that, that kind of painful, painful gearhead turnover, right? Well, if last year I had Mary, who was one of the, one of the gearheads and Mary’s moved on and now Bob is in, right? Previously what we’d have to go and scour how many different F’in sources to try to piece together what Mary did last year, what evidence they use for filling the blank last year, you know, et cetera, you’re looking all over the place to try to piece this together this year with a compliance management system. And Mary now has left the organization and Bob stepped in. Guess what? All Bob has to do is go in, look at last year’s track. He can see precisely which items is it that Mary was provisioning evidence for.
He can see precisely what additional explanations that Mary needed to provide. He can see exactly the file that was presented. So all he has to do is just go in a mirror, you know, mirror what, you know, what Mary was going in, grabbing, garnering, et cetera.Your amount of time, even in the evidence collection side, your evidence collection, literally year two plus, that’s chopped in half over what it used to be, you know, back in the day. You know, it’s just, there is a ton of savings when you get into that kind of year two, year two arena. Make no mistake. You’re still going to need to go to weekly meetings. You’re still going to need to go in and gather evidence, but a lot of the, all of the other wastes of time on the engagement, they just evaporate. And so you’re able to go from, you know, your hours actually, generally speaking in year two and a manual model, your ears, Jesus, your, your hours go up in year two because now you’re having to kind of deal with the aftermath from the prior year and sorting through loose ends from, you know, from your last year’s run and things along those lines where, you know, when you’re using a compliance management system, you don’t have that. So like the hours that I had when I, when I went into year two, earlier I was saying it was 325. Well, those hours jump up to about 365, you know, in year two, because now in a manual system I’m going through and I’m sorting out those loose ends. However, the volume of savings goes up, you know, in that, you know, in year two. So my total, even though my hours went up to 365, my actual hours spent on the engagement activities are less than 80 at that point in the game. And again, this is a tiny engagement, but, you know, on that ROI calculator, we also have in there the ability to put in the average salary of the gear heads or the people that are, you know, working on your compliance engagement. And you can see the, you know, you can basically see the dollars in there for the amount of time translated with, you know, with an hourly rate as to how much, how much in terms of dollar savings you’re going to be able to see. It is a, it is a big deal, a big, big deal.You know, I, it’s the whole reason I wrote the damn system.
Good stuff, parting shots and thoughts for the folks this week.
Well, I said it before, I’ll say it again. I set about building the system I wished I had back when I had to do all this crap manually. One of the big differences about TCT is that it was built by people that have literally experienced the same pain that you have in terms of managing engagements, in terms of collecting evidence, in terms of trying to ascertain status and being pissed about how much time we’re flushing down the drain. The sick part about a lot of organizations, for a lot of organizations, they have this notion that what we did last year worked, quote, unquote, so we’ll just do the same thing again.Or they have this notion that it’s not, I love this one, it’s not costing us anything, finger air quotes. If you go in and you play with that, I’ll call it an easy example. I called the hourly price of the gearhead 65 bucks an hour. Somebody that’s, let’s say on average, making around 120, 130 grand a year. That’s probably a nice average for a gearhead. It’s definitely not one of the more expensive gearheads, if you will. But even at that rate, on a tiny engagement, even on our year one example, we’re able to show that we’re going to save the organization over 14 grand in the year two plus. It’s closing in on 20,000 a year in terms of the value of the hours that get saved on these engagements.You put that up against the costs for a compliance management system. Quite frankly, the beauty of it is, and the reason I price the portal the way I do, is that I literally priced the portal so that it’d be an absolute no brainer for somebody to go and do. Because if the cost of doing it manually or three times the cost of just getting the portal, well, then you should get the portal. It makes it really easy.The other big difference about TCT, I like to call a distinction between us and the other, I call them the other folks out there that have a bag of money and an idea to go help people in the compliance space. The big difference is that we’ve been there. We’ve lived this. I’ve lived it as someone going through compliance. I’ve lived it as a consultant to folks going through compliance. I’ve worked alongside assessors for compliance. I spent years doing level one PCI reports on compliance QA work. I’ve seen it from all angles and the other beauty of the TCT portal is this. We launched the portal back in 2015. Right now, we’re in Q2 of 2025. The TCT portal has been up, running, live, serving folks in the security and compliance space for over a decade. During that entire period of time, we have taken the mantra of listening to our clients, listening to those folks that do live this day in and day out, seeking their input, seeking their recommended features and enhancements. The TCT portal literally is a system that’s being used. It’s for people in the security and compliance space with input, feedback, and enhancements by those same people in the security and compliance space for north of a decade.Long story short, we coined the phrase that we’ve been here to make compliance management suck less since 2013 and by God, we’re going to stick by it.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
