Compliance Unfiltered is TCT’s new podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Adam’s Story
Quick Take
Adam Goslin gives you a breakdown of who he is, where he gained his expertise, and exactly why the hell you would want to listen to him about compliance.
Adam also provides some background on his own experience through the compliance circus, and how he founded Total Compliance Tracking out of a desire to help people make their compliance experience suck less.
In this episode, Adam and Todd discuss:
- Why the hell should you listen to Adam Goslin
- Adam’s compliance story
- Why got into this space
- Why are we doing this podcast?
- Why companies struggle with Making Compliance Suck Less
Read Transcript
Intro
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow with Adam Goslin..
Todd Coshow
Welcome to another edition of Compliance Unfiltered, I’m Todd Coshow, alongside the triple shot of espresso in your compliance morning. Mr. Adam Goslin. How the heck are you, sir?
Adam Goslin
I’m doing good Todd, how’s it going for you?
Todd Coshow
I can’t complain. I truly can’t. I’ve’ had my triple shot of espresso, so were in a good spot today.
Todd Coshow
Let’s chat a little bit about how the TCT portal helps boost assessment firms competitive advantages. Now, given your experience interacting with numerous assessment firms over the years, what have you noticed at a high level about how these firms are approaching their engagements?
Adam Goslin
Well, one of the things that I noticed when I was starting into doing compliance consulting was just how different all of the different assessors that I worked with would go about doing it. The compliance standard didn’t change between client to client.
Adam Goslin
However, each of these assessment firms, they had their own way of doing things that worked for them, for running their kind of their client engagement. Really, you think about it, that process is the assessment firm’s secret sauce, right?
Adam Goslin
It’s one of their competitive advantages that they can take advantage of. And if the listener is like most assessment firms, then they take pride in their proven process and they use it to stand out from their competition.
Adam Goslin
You can bet that they’re probably on the phone talking to so -and -so as whoever it is evaluating. And they’re kind of pointing out the pride that they take and how they go about doing things and why.
Adam Goslin
Their experience and etcetera all comes into play. Any compliance management tool that an assessment firm is leveraging, it needs to not force that assessment firm into just a canned workflow. We have one way to do this and you’re gonna do it this way and good luck shoehorning your process into our tool.
Adam Goslin
And that’s one of the big reasons why TCT Portal was designed. It was designed to be configurable, to be able to fit the needs, desires, capabilities of these different organizations that way they can kind of preserve that secret sauce that they’re so proud of, that they’ve leveraged.
Adam Goslin
We realized from the beginning the software you pick, it needs to enhance the competitive advantage, not dilute it. So that was an important factor for us as we initially launched the TCT Portal back in 2015 and then have spent what, north of eight to nine years, just continuously making it better.
Todd Coshow
Coming up on a decade, man. That’s wild. How do assessors starting out their various engagements and your struggle, excuse me, starting out their various engagements and how can TCT portal help?
Adam Goslin
Well, the one big differentiator for TCT is we’ve got customized template capability. So you’ve got to remember the TCT portal from its start was not, it wasn’t built to be a PCI compliance system or a HIPAA system.
Adam Goslin
I named the company appropriately. I named it Total Compliance Tracking. In other words, I wanted a system that would be able to handle any industry standard. And it’s part of the cool part about our capabilities is as a result, we can do whatever the organization wants.
Adam Goslin
We’ve got these, what we call customized templates where it provides fully configured certification tracks that allow organizations to hit the ground running with their compliance engagements. These template, the templating capabilities that we have, it eliminates all of that initial setup activity that these assessment firms end up having to do for every single client engagement.
Adam Goslin
The template also has kind of an added bonus of really improving the consistency across engagements. It’s one of the kind of fun parts kind of seeing the impact that TCT portal has had on these companies is I would hear them, I’d hear them griping about how, even though they laid out this process, etcetera, everybody was just kind of doing their own thing or whatever it may be, with the customizable templates,
Adam Goslin
you can preset the starting points for each engagement. You can pre -populate assignments across the board. You can preload examples and guidance, giving, you can provide your assessors, sample or starting point report text to be able to start building out their report text from.
Adam Goslin
Not only do you need a template for each certification, but depending on the organization and their choices around how they wanna structure their templating, they probably are gonna need multiple templates, which we can support as well.
Adam Goslin
So maybe on a PCI engagement, you’ve got a bunch of different scenarios you’re dealing with. So you’ve got clients that do or don’t have physical locations. You do or don’t have wireless POS, POI devices, and a bevy of other possibilities.
Adam Goslin
The TCT portal allows the organization to create multiple templates that they can tailor for each of their client situations. It makes it supremely easier on the organization to be able to maintain their way of doing things while simultaneously being able to implement those in a consistent manner across the board.
Todd Coshow
For sure. Now, how does the accessor experience relate the guidance they wish to provide on their engagements?
Adam Goslin
Well, they’ve got the guidance section within TCT portal. It allows for generation of your own directional guidance for specific requirements or line items that gives the clients tailored instructions or explanations.
Adam Goslin
Look at the guidance section within TCT portal. This is the capability for the firm to leverage their knowledge, their expertise, things that they would normally, under normal circumstances in advance of using the system, they literally would have had to explain over and over and over and over again to every single client that asks the same question.
Adam Goslin
And so what I typically will tell the assessment firms to do, implementing the tool, it’s an act of internal configuration setup, adoption, but training as well. So train the clients when they are starting out their engagements to refer to the guidance that’s contained within the TCT portal.
Adam Goslin
Now you have a scenario where your clients are able to self -serve. They can go in and they can get answers on their own. They’re not waiting till the next weekly meeting, etcetera, to go ask the same question you’ve already gotten eight, 10, 15 times before.
Adam Goslin
It also helps because now you have less interruptions for your own assessor staff. The clients are more capable of being able to do what they need to do and still receive the directional guidance from your team.
Adam Goslin
And the best part is, however you’d like. You want it in plain English. You want it uber -technical. However, it doesn’t matter. And as a result, we see assessment firms that have accelerated engagements.
Adam Goslin
And customers are generally seeing a greater level of value out of the interaction between them and their assessment firm.
Todd Coshow
Now, what about assessment firms with a very specialized approach to data collection, such as like leveraging a request list?
Adam Goslin
Well, we talked a little bit ago about the custom certifications and you think about PCI, right? It’s pretty overwhelming for most organizations that are trying to eat the elephant, if you will, to make things simpler for their clients.
Adam Goslin
There are a lot of firms that they don’t want to just dump the full breadth of the PCI DSS to their client, but instead, they’ve created some type of a data information collection list. Maybe they call it a document request list.
Adam Goslin
It basically boils down the multiple hundreds of potential items from PCI and boils it down to whatever, 135 things that we need from the client. The cool part is that when the firms have put this together, so most of these assessment firms that take the style of an approach, they’ve typically done it in whatever Excel or whatever it may be, and they’ve written it however it makes sense for their engagements based on their experience in a way that the clients can understand.
Adam Goslin
The TCT’s custom certifications effectively are a collection list of line items that you’ve created yourself. You can share that list with your clients instead of this full -blown PCI DSS40 track and just focus on the collection of the 135.
Adam Goslin
Since the TCT portal has the ability for cross -mappings between various certifications, you can automatically link the client evidence that’s coming into your information request list out to the various destination locations across the country.
Adam Goslin
It’s absolutely huge. I love giving this example, but let’s say the client has an overall information security policy. Well, in PCI, that overall information security policy, dude, that’d be connected to 120 to 150 different line items across PCI at least.
Adam Goslin
The coolest part about it is that the client goes in, they feel they attach their overall information security policy in one spot. Meanwhile, the assessment firm that’s sitting over on the PCI track, instantly they now have that security policy is now splayed out across the 120 to 150 different locations.
Adam Goslin
Oh, it’s automatic. It is so freaking cool because now you can really go in, use that kind of request once, use many style notion. And the better part is the assessment firm also, we’ll do it however they want, but they’ve got choices.
Adam Goslin
They can only expose the request list to the client and the assessors can see both the request list and their PCI track, etcetera. But that way they can go ahead and leverage how they see fit, number one.
Adam Goslin
Number two, and this is kind of a common question that we’ll get, there’s a difference between a general industry standard certification, NIS CSF 2 .0 or PCI DSS V4, whatever. Those are industry standard certifications, which would then be accessible to any user of the TCT portal.
Adam Goslin
When we go in and create the document request list, which is really that assessment firm secret sauce, it is their competitive advantage, etcetera, that’s only leveraged then for engagements with that particular organization.
Adam Goslin
It’s not publicly accessible. It’s not shared with anybody else other than your clients, but that way the assessment firm doesn’t have to worry about it. They can set it up and configure it however they wish, and they’re able to gain that increased consistency across their various engagements as they go through the year.
Todd Coshow
Well, how could the assessment firms leverage TCT portals API to generate various synergies?
Adam Goslin
Well, the TCT portal API, it really allows for both the import and export of data between the compliance management software and other systems. So what we’ve seen for some organizations is that they’ve got whatever.
Adam Goslin
They were struggling internally, and they had built up certain dashboards that are being leveraged internally. They’re integrated not only into the compliance stuff, but maybe they’ve got 18 other realms of data and information they present to their various assessors from a variety of systems.
Adam Goslin
And they use the dashboarding on their end just to consolidate it all down into a single pane. Instead of making them, well, sorry, you’re going to have to go to the TCT portal interface to be able to see any of that information.
Adam Goslin
The API could be leveraged for a couple of different things. They could certainly pull statistical data information, status information, etcetera, over to their already existing customized dashboards and reporting tools.
Adam Goslin
But they can also take that and integrate it with various other platforms. So some of the automation of TaaS via the API could include integration of compliance data with analytics reporting for tracking purposes, displaying the status of the client compliance tracks on dashboards that you use internally and possibly already are sharing with other third parties.
Adam Goslin
You can use it to view summary information about each of the engagements, pulling the task and status information into your internal ticketing system, such as JIRA, making the compliance task as complete within your system, and then setting a trigger to load up explanations, evidence, etcetera.
Adam Goslin
And you can mark it done through the API. So there’s really a lot of capabilities that will have the potential to help the assessment firm be able to, again, customize their experience for compliance management in a way that makes sense for them.
Adam Goslin
That’s one of the main key goals that we had for the platform is I wanted a platform that everybody would be able to take advantage of their way of doing things and yet do it on a consistent singular system.
Todd Coshow
Absolutely. Now, finally, one of our most revered capabilities. Tell us more about one click reporting.
Adam Goslin
You just broke out. But tell you more about one -click reporting, no problemo. So the one -click report generation, it’s always fun when we see the organizations that start having the light bulbs go on about this capability.
Adam Goslin
Especially with PCI DSSv4, we’ve got the ability to automatically generate the outbound reporting. So for a lot of the assessors out there, I think they would rather extract their fingernails with pliers than go through all of the manual labor for every single freaking rock, sack, AOC, etcetera.
Adam Goslin
The coolest part about the TCT portal is it automates the entire process. So on our platform, and it depends again on the client’s preferences, right? If the client’s integrated, the end customer is leveraging the system for provisioning evidence and explanations, those flowing up to the assessor.
Adam Goslin
They’ve got the capability to take the platform and basically workflow it from the client to the assessor straight through quality assurance team and move it over and into a completed state. Really, we can customize up the workflow however they want, but that’s more often than not, that’s kind of the typical workflow.
Adam Goslin
But the cool part is that then they can template out their report tax starting points as I discussed earlier, customize it up for that particular client engagement, go through the review process with QA, move it into that completed bucket, and then at whatever point in the game they’re ready to generate reports, they literally just go to the top of the screen, say hit the button and allow the reports to generate and poof,
Adam Goslin
all of the information from the engagement that’s now been configured in is automatically put onto the templates that the council requires.
Todd Coshow
Is it a word doc or is it PDF? Is it editable? Like how does that work?
Adam Goslin
Yeah, so by default, it goes into the Word doc. So the organization still could do additional customizations to it if they want. But whatever, 99% of the pain is now just eliminated with the button click.
Adam Goslin
We’re talking about PCI here. So PCI is a standard where they have prescribed reporting templates, prescribed kind of attestation templates, etcetera. But even still, TCT Portal has the capability for, again, in terms of serving our clients, we’ve got the ability to integrate even custom reports.
Adam Goslin
So where we’ve got an organization going up against a standard that doesn’t have a pre -prescribed thou all shall use this template type notion like SOC, NIST, It allows those organizations to generate, to use or leverage their own customized reporting templates.
Adam Goslin
We could do the same thing really with any standard and put it onto their own custom reporting templates, etcetera. Yeah, it’s a really frickin’ big deal. And I think in a lot of cases, part of the challenge is that these organizations, they’ve been doing this for a week or three.
Adam Goslin
It’s almost like they’ve become used to the pain. And it’s really, really fun when you see the light bulbs go on, they go in and they give it a shot. They enforce, hey, we’re going to use this tool, etcetera.
Adam Goslin
They gain that consistency. They have all of this information available at their fingertips year over year. They’re automagically generating reports coming straight off of the system end and end and end.
Adam Goslin
And it’s usually, they’ll look back when they’re a couple of years down the road. If they’ve gone and done the implementation work properly, etcetera, they’ll take a look back. And it’s kind of fun as they reminisce about all of the 18 dimensions of hell that they used to go through.
Adam Goslin
It’s fun when they make that connection.
Todd Coshow
Absolutely. Parting shots and thoughts for the folks this week, Adam.
Adam Goslin
Well, I mean, you know, any compliance management tool that’s forcing you to use their way of doing things, it diminishes your competitive advantage, period. You know, like I said, we built the TCT portal from the ground up to help you preserve those advantages, preserve your experience, you know, etcetera.
Adam Goslin
So you can bring them to your engagements. That’s, in my mind’s eye, that’s part of our job, you know, is to do that for, you know, for our clients. You know, not only does it allow organizations to set themselves apart from competition, but they’ll be able to gain, you know, the efficiencies that will continue to separate you from your, you know, from your competition, if you will.
Todd Coshow
Especially because you’re talking about being able to build in those efficiencies regardless of personnel.
Adam Goslin
Yeah. Yeah. And the consistency you get, I mean, there’s just, and, and, and there’s just, there’s a ton of freaking benefits. I mean, I, I’ve said it before on the, on the pod, but the, the generation of the TCT portal literally was the tool I wished that I’d had when I first had to go through this process of going through compliance, you know, as an organization subject to it and seeing the struggle that the assessor had to go through on that,
Adam Goslin
you know, kind of on that first engagement, it’s literally the tool I wished I had. And so, you know, the, the, you know, I said it earlier, I kind of, I kind of fluffed by it, if you will, but, you know, I can’t underscore the benefits that come in for the organization as they’re going into year two, year three, etc.
Adam Goslin
You know, you think about it, right? There’s, there’s, for any given client and, and the assessors that are, they’re listening to this are busy chuckling themselves as I’m saying this, but, you know, you go into year two and all of a sudden it’s like you’re, you know, some of the people that you’re working with, or maybe even all the people you were working with last year, they’re not part of the engagement this year,
Adam Goslin
you know, and, and, and it’s like Groundhog Day, you know, Bill Murray and I’m, you know, hitting the alarm clock, you know, the bottom line is, is that, is that it’s brutal, man. You’re, you’re explaining the same stuff, you’re answering the same questions you’re over here, the clients are even the clients that were on the engagement last year, right?
Adam Goslin
They don’t remember, it was what, 11 months ago, when they get over and they submitted this evidence, they’re not going to freaking remember what they did. So having last year’s stuff, everything, immediately referenceable for your customers, immediately referenceable for your assessors.
Adam Goslin
It is, it is absolutely enormous how big of a deal it starts to make in the overall efficiency. And this is really efficiency. It’s not just efficiency for the, for the assessment firm, but this is efficiency for your customers as well.
Adam Goslin
Dude, that’s a, that’s a, that’s a big freaking deal. And, you know, and the last, the last thing that I would say about, you know, kind of about the notion of the leveraging of, of TCT portal, you know, is really, when we started this and we lost, you know, I think the portal was, it was ready for prime time in probably Q3 of 2014, but we, we opted to wait till January because a lot of the assessors were real busy trying to get through the end of the year.
Adam Goslin
But from day one, when we first launched this thing in 2015, ever since then, one of the big key differentiators is that, you know, we have a policy with our, with our clients that, Hey, if you think you come up with a cool idea, some type of a feature you’d like to see on the platform, whatever it may be, go ahead and submit it.
Adam Goslin
Because, you know, at this point in the game, each of our functional releases easily are 95 plus percent client requested functionality at this stage of the game. And the other side of it, that’s a huge benefit is that for the folks that are just stepping, dipping their toe into the space now, guess what?
Adam Goslin
They get, they get to leverage a platform that’s had eight plus years of suggestions, recommendations from folks that have been dealing with, you know, dealing with and assessing compliance, you know, out in the marketplace, they’re, they’re able to take advantage of all of that, you know, all of that benefit.
Adam Goslin
And I strongly encourage every single client to actively participate, you know, in those suggestions and recommendations. It’s a, it’s a really big, it’s a really, really big deal. And it’s something that I really love about what we’ve, you know, what we’ve built here at TCT.
Todd Coshow
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow.
Adam Goslin
And I’m Adam Gosling, hope we help to get you fired up to make your compliance suck less.
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
